SonicWall provides real-time protection against HermeticWiper malware and Conti ransomware expected during escalating conflict in Ukraine.

With the recent escalation of events in Ukraine and the resulting sanctions imposed by various Western administrations, there is a dramatically heightened risk of cyberattacks on organizations in the United States, Europe and elsewhere.

State-sponsored threat actors and other cybercriminals will be actively targeting the U.S. and other businesses in an attempt to interfere with their operations, steal or destroy data, and damage infrastructure.

Your organization needs to have a heightened sense of awareness and security during this crisis.

In January 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Alert (AA22-011A): Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. CISA also began urging U.S. organizations to prepare for data-wiping malware attacks (more below).

At that time, the “Ukraine Cyber Police say they are investigating the use of Log4j vulnerabilities and stolen credentials as another means of access to the networks and servers,” according to Bleeping Computer.

On Feb. 18, CISA shared that the New Zealand National Cyber Security Centre (NCSC-NZ) released a General Security Advisory (GSA) on preparing for cyber threats relating to tensions between Russia and Ukraine.

CISA: Time to ‘Shield Up’

It is critical that you take preemptive measures in anticipation of a surge in cyberattacks targeting your business or organization. CISA has published ‘Shield Up,” which is helpful guidance for organizations of all sizes and their leaders. Some of the steps detailed by CISA include:

• Reduce the likelihood of a damaging cyber intrusion.
• Take steps to detect a potential intrusion quickly.
• Ensure your organization is prepared to respond if an intrusion occurs.
• Maximize your organization’s resilience to a destructive cyber incident.

Other important steps can make a big difference in deterring and/or detecting attacks, such as setting robust inbound policies on your network perimeter (e.g., preemptively blocking connections or sign-ins originating from Russia or other risky nations) and otherwise taking a highly cautious approach to all inbound traffic, even if it means trading off some performance for security.

SonicWall strongly urges that your organization be in touch with your internal and external cybersecurity professionals and resources to ensure that you are as prepared as you can be for the inevitable increase in cyberattacks.

SonicWall also stresses the importance of layered defenses, like IPS, email security, two-factor authentication and real-time sandboxing, such as Capture ATP with RTDMI. With a defense-in-depth strategy in place, your organization will be better prepared to detect the impact of a zero-day attack or other targeted threats.

SonicWall Protections Against Notable Cyberattacks

Zero-day attacks are becoming a common threat. While they may exploit previously unknown weaknesses, defenders have the advantage of being able to detect anomalous activity in real time, and contain and recover before destructive zero-days disrupt your business or organizations.

SonicWall actively protects organizations from cyberattack types known or feared to be used during the Ukraine-Russia conflict.

HeremticWiper Malware

SonicWall helps organizations proactively defend against emerging threats like HermeticWiper. For instance, SonicWall Capture ATP, with RTDMI, detected HeremticWiper as documented in our SonicAlert, “HermeticWiper Data-Wiping Malware Targeting Ukrainian Organizations.”

HeremticWiper Malware Signature Protection

• GAV: HermeticWiper.A (Trojan)
• GAV: HermeticWiper.A_1 (Trojan)

Conti Ransomware

The Conti ransomware gang publicly announced that they would attack any organization that launched a cyberattack against Russian infrastructure. As such, it’s important organizations have protection against Conti ransomware. Both SonicWall Capture ATP with RTDMI and active SonicWall firewall with current signatures are protected from Conti ransomware.

Conti Ransomware Signature Protection

• GAV: Conti.RSM (Trojan)
• GAV: Conti.RSM_2 (Trojan)
• GAV: Conti.RSM_3 (Trojan)
• GAV: Conti.RSM_4 (Trojan)
• GAV: Conti.RSM_5 (Trojan)
• GAV: Conti.RSM_6 (Trojan)

PartyTicket Ransomware

Believed to be deployed in conjunction with the aforementioned data-wiping HeremticWiper malware, SonicWall Capture Labs analyzed the PartyTicket ransomware in the SonicAlert, “A Look at PartyTicket Ransomware Targeting Ukrainian Systems.” The ransomware arrives as an executable Windows file, but overall appears to be unsophisticated ransomware created quickly to take advantage of the current climate.

SonicWall customers are protected from the PartyTicket ransomware variant via the below signature, as well as by real-time Capture ATP with RTDMI and Capture Client endpoint protection.

PartyTicket Ransomware Signature Protection

• GAV: PartyTicket.RSM (Trojan)

For additional information, please visit sonicwall.com/support or the SonicWall Capture Labs Portal. You may also join discussions on the SonicWall Community.