Network Sandboxing Takes On Malware, More than 26,000 New Strands Identified in August

Malware never sleeps. Threat actors and criminal organizations are relentless in testing, optimizing and deploying exploit kits that target businesses and organizations across the globe. August 2017 was no different.

In fact, the month presented SonicWall’s network sandbox, Capture Advanced Threat Protection (ATP), with a few milestones.

First, the Capture ATP service celebrated its first anniversary protecting customer systems across the globe. Second, according to some sources, it surpassed install base figures of some of our competitors. Finally, the service also broke its own record for the number of new forms of malware it discovered and stopped on our customer networks.

How many? 26,438 to be exact!

This means that nearly 26,500 forms of malware — ranging from ransomware, to other Trojans, to Malvertising — were never seen by SonicWall before this month. Out of this, a little more than 7,100 were identified by one of the numerous anti-virus sources we work with. But over 19,300 were never seen by anyone and this includes a strong list of over 50 vendors including some very large names.

On top of this, last year we cataloged 60 million new forms of malware in order to prevent a patient-zero situation among the customer base. But despite our round-the-clock vigilance, there will always be a customer out there who will find something before we do.

To better eliminate this type of rare event, we created the industry’s first multi-engine network sandbox that can block until verdict, which means a customer can elect to have all unknown files blocked at the gateway until SonicWall can vet the code.

By combining the power of hypervisor-level analysis, full-system emulation and virtualized sandboxing, we have been very successful at finding some of the most evasive forms of ransomware in history, such as Cerber.

By combining the research from SonicWall’s Capture Labs, which place their signatures in SonicWall’s Gateway Security (and other places like Email Security for example) and Capture ATP, customers can stop known and unknown forms of malware. It is the latter group that causes the most fits for security professionals and gives end users with good technology something to brag about.

Since February we’ve seen a large increase in the new malware Capture ATP catches. This momentum stems from an ever-expanding customer base, but also a large rise in the percentage of malicious files that are out there. Here are some key facts:

  • Since February 2017, we’ve seen an increase of 524 percent in the new forms of malware discovered
  • In August 2017, the percentage of malicious files found was .22 percent, which is up from .14 percent
  • We made improvements in our performance and saw that 71.5 percent of all files were processed with a verdict in under 5 seconds

Is network sandboxing right for you? Based on our data, the average Capture ATP customer is on pace to detect and stop 30 new forms of malware within a year.

To learn more about the power of network sandboxing, I encourage you to read this executive brief: Why Network Sandboxing is Required to Stop Ransomware.

Locky, Then WannaCry, Now Petya. Is This The New Normal in Cyber Security?

Updated June 28, 2017

As I type this, news reports continue to roll in about yet the latest massive global ransomware attack. This time, the payload appears to be a ransomware called Petya. SonicWall Capture Labs identified the original Petya variants in 2016. However, this time it appears to be delivered by Eternal Blue, one of the exploits that was leaked from the NSA back in April. This is the same exploit that was used in the WannaCry attack.

Infected systems will initially display a flashing skull, followed by a lock screen:

Once again, the cyber arms race continues to evolve. If I were to boil this down to its essence, what we are now seeing is that cyber criminals are combining exploits and attacks in creative ways that are not necessarily new, but still quite effective. Like mixing cocktails, the ingredients are all well known, but the exact mix can be completely new.

Attack details: SonicWall customers are protected

Today, June 27, SonicWall Capture Labs began tracking a high number of Petya ransomware attacks against SonicWall customers. Petya as a malware payload is not new. In fact, we reported in the 2017 Annual SonicWall Threat Report that it was second only to Locky in the number of infections we noted last year. The good news for SonicWall customers that are using our security services is that we have had signatures for certain variants of Petya since March 2016. Then, in April 2017 Capture Labs analyzed and released protection for the Eternal Blue exploit that Shadow Brokers leaked from the NSA. Also, on June 27, the Capture Labs Threat Research Team issued a new alert with multiple signatures protecting customers from the new Petya Ransomware Family.

Recommendations for SonicWall customers

As a SonicWall customer, ensure that your next-generation firewall has a current active Gateway Security subscription, in order to receive automatic real-time protection from known ransomware attacks such as Petya. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology:

  • Includes signatures against Petya (part of GAV)
  • Protects against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS)

Since SonicWall Email Security uses the same signatures and definitions as Gateway Security, we can block the emails that deliver the initial route to infection. To block malicious emails, ensure all Email Security services are up to date. Since 65% of all ransomware attacks happen through phishing emails, this also needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.

Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI SSL also allows the firewall to examine and send unknown files to the SonicWall Capture Advanced Threat Protection (ATP) service for multi-engine sandbox analysis. We recommend that you deploy Capture ATP in order to discover and stop unknown ransomware variants. Because of the rapid proliferation of malware variants, SonicWall leverages deep learning algorithms to provide automated protection against both known and zero-day threats. The combination of the SonicWall Capture Threat Network and SonicWall Capture ATP sandboxing provides the best defense against newly emerging hybrid attacks such as Petya. As always, we strongly recommend that you also apply the Windows patch provided by Microsoft to protect against the Shadow Brokers leaked exploits as well.  And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.

WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network?

“It’s a tragedy.” At least that is what we are told.  Time and time again, when bad things happen, we hear the same things replayed over and over again, or “what could we’ve done to prevent this,” or “we didn’t know.”  In life, this can be an honest reaction to certain things. Some things are left to powers way beyond our mortal control, but that doesn’t apply to the cyber world in this digital age. Exploits are a daily thing; this is not new.  There are more than forty new viruses created every sixty seconds, of every minute, of every hour, of every day.  The “I didn’t know” defense can only play out so long.

This was never truer than just this past week with the incredibly dynamic Ransomware attack – the WannaCry Exploit– in the UK and Spain. Here is what we know, some exploit kits that allegedly were created by certain government agencies was again allegedly stolen and leaked online to the masses. Some elements of these exploit kits were then leveraged in a new extremely aggressive form of Ransomware that leverages a worm-like attack against connected network machines through various read/write functions of the Windows Operating System.  This latest Ransomware variant was then set loose on the world, infected more than 200,000 systems in more than 100 countries, including several healthcare institutions in the United Kingdom, and even a couple of telecommunications companies in Spain. Guess what? It is certainly not the first exploit to leverage this form of attack, and it certainly will not be the last.

It has been for far too long that companies and institutions continue to treat cyber security like it is still the 1990’s. Back then, it was typical for network admins to simply deploy this new technology called a “firewall” behind their router, and then let it sit for months, even years, without so much as logging into the unit. They had no need to. If the unit was up, that was all that mattered. Perhaps they would log into add a new Access Rule or a VPN Policy, but for the masses that was it. It was a terrible practice then; today it a death sentence for the network, and maybe even the career.

Network admins need to alert their senior management, including those C-Level employees, and let them know that security is no longer a back-office job that is performed only when needed. Security has evolved. It is a front office task that demands daily attention. And guess what else? Sometimes that means that there is some heavy lifting involved.

Here is the basic truth: proper security procedures, training, and architecture prevent breaches. This starts with ensuring that all traffic is being inspected, including that pesky encrypted traffic. This can not be a half-baked solution that only inspects partial traffic flows, or has to rely on multiple endpoint clients to alert before identifying threats. Crossing one’s fingers and wishing for the best simply will not do. Only implementing an aggressively secure countermeasure to stop the aggressive advanced persistent threats will protect networks from malicious exploits.

Install a solution that delivers automated security updates, that is fully application aware, has built in intrusion prevention and anti-virus scanning, including encrypted traffic inspection. All of these features, including the fully integrated SonicWall Capture Threat Prevention – a multi-engine cloud-based sandbox for zero-day malware attacks, are included on the SonicWall UTM Appliance and next-generation firewalls. SonicWall customers and partners were protected on April 20, when the SonicWall Capture Labs Threat Network issued a signature for the WannaCry exploit.

Recently, I had the pleasure of sitting down with a business owner of a company that had been breached. It was a typical story. A user’s credentials had been compromised, and unauthorized access through an unprotected RDP session led to devastating consequences.  When questioned why a VPN front-end to the RDP session was not deployed, the response was that it was to many extra configurations to maintain.  When asked what about enabling a two-factor authentication solution to send a text message to users’ phones, the response was it was too complex. What if they forget their phone that day? Then when I am asked why there was a breach, I just WannaCry.

For more information, please read SonicWall’s Ransomware Review and Defeating the Encrypted Threat.
Protect More Fear Less

Announcing New and Enhanced SonicWall Email Security 9.0 with Capture ATP to Detect Zero-Day

Ransomware attacks in 2016 grew by 167x year-over-year to 638 million. As today’s malware and ransomware pose ever evolving malicious, zero-day threats, organizations need to defend their network’s beyond their perimeters. SonicWall introduces a powerful defense: the new SonicWall Email Security 9.0 integrates with our award-winning Capture Advanced Threat Protection (ATP) Service. This unique combination delivers a cloud-based, multi-engine sandbox that not only inspects email traffic for suspicious code, but also blocks ransomware, zero-day and other malicious files from entering the network until a verdict is reached. This release is available in cool new SonicWALL hardware appliances, virtual appliances and Hosted Email Security service.

In his blog our President and CEO Bill Conner, highlighting SonicWall’s 2017 Annual Threat Report, points out that email is a highly vulnerable attack vector for cyber criminals. Employees fall victim all too often to ransomware, phishing and unknown threats. The enhanced SonicWall Email 9.0 with Capture cloud-based sandboxing technology detects these advanced threats. It scans a range of email attachment types, analyzes them in a multi-engine sandbox, blocks them until reviewed by an administrator, and rapidly deploys remediation signatures. Signatures for newly discovered malware are quickly generated and automatically distributed across the SonicWall GRID Threat Network, preventing further infiltration by the malware threat. We offer organizations a choice of administrative options ranging from removing an offending email attachment to blocking an entire message. The result is higher security effectiveness and faster response times.

Innovative features of SonicWall Email Security 9.0 include:

  • Advanced Threat Protection: Integrates Capture cloud-based sandboxing technology for detection of zero-day threats such as ransomware, for fine-grained inspection of SMTP traffic
  • Next-generation Email Protection: Incorporates anti-spam, anti-virus and anti-spoofing functionalities to not only detect and prevent spam and other unwanted email, but also scan email messages and attachments for ransomware, Trojan horses, worms and other types of malicious content.
  • Improved Office 365 Support: Enhances security for multi-tenant environments by providing a method for ensured, mapped delivery of emails for SonicWall Hosted Email Security environments
  • Updated Line of Appliances: Refreshes SonicWall’s line of Email Security hardware appliances, helping customers to better face threats delivered by email.
  • Encryption Protection: Supports not only SMTP Authentication, but also the encryption service feature enables any email containing protected data to be automatically encrypted, routed for approval or archived.
  • Policy and Compliance Management: Enables an administrator to enact policies that filter messages and their contents as they enter or exit the organization. This allows organizations to meet regulatory requirements based on government legislation, industry standards or corporate governance activities.

“As a loyal SonicWall channel partner, we at Napa Valley Networks were thrilled to see SonicWall resume operations as a standalone cybersecurity company and go back to its roots of driving a deeper focus on technological innovation,” said Julie Neely, founding partner of Napa Valley Networks. “SonicWall Email Security 9.0 with Capture Advanced Threat Protection Service is a clear demonstration of the company’s continued commitment to better serving its channel partners.”

“With the continued onslaught of ransomware, malware and other cyber-attacks, our customers are looking to us to provide them with solutions that allow them to spend more time conducting day-to-day business while staying abreast of the threat landscape. SonicWall allows our engineers, and most importantly our customers, to sleep at night! At Sterling Computers, our mission is to help government and education customers get the most out of their tech infrastructure,” said Steve Van Ginkel, Sterling Computers’ vice president of Business Development & Partner Alliances.

“KHIPU Networks Limited have been using the SonicWALL Email Security software/appliance for over 10 years,” said Andrew Brimson, Managing Director, KHIPU Networks Ltd. “Email Security has been instrumental in protecting our business interests from threats and attacks as well as protection against data leakage. We have found the SonicWALL Email Security software easy to configure, good for reporting and tailorable to our changing requirements.”

Learn more and download the SonicWall Email Security 9.0 data sheet and see all of the enhancements.

SonicWall Capture ATP Stands Up Against Malware Test

What would happen if you gathered five days of newly discovered malware and unleashed it upon an end-point protected by SonicWall?

I have been working with SonicWall firewalls for 10 years, and I was beta testing SonicWall Capture as part of my role here as an escalation engineer. Since we are big believers in drinking our own champagne, I was testing on my home network. I logged in and stared at it for days but it just did nothing. I was starting to get concerned. Did it just not work? Was there a bug? I was sure it was configured properly, but still – nothing. Then I realized I was not downloading anything malicious enough to trigger it. My wife does Facebook and the banking I hangout on sites like The cat does hop on the keyboard at times but other than that, we’re not downloading much malware.

I hatched a plan to download as much malware as possible. I scoured the internet and found a python script that did exactly this. It was a bit broken and I had to hack it up a bit to make it work, but in no time I was downloading thousands of potential viruses at a time. Super excited, I logged back in and navigated to the Capture feature and found that it actually did something: it analyzed two files and tagged them as clean.

This was making me sad, so I started digging a little deeper. After combing through the logs, I determined that the vast majority of what I was trying to download was being caught by all the other security services. As an example, some of the files were hosted on known botnets so they were blocked by the botnet filter before they even had a chance to hit the Capture engine. I turned off all the security things and ran my script again.

Once again, I logged into Capture with my fingers crossed and lo and behold, this thing was lit up like a Christmas tree. “OK so now I know it works,” I thought to myself. Next, I dug around a little bit and once I was satisfied, I shut my script down. Every time I tested a new firmware version I fired up the script to verify that it worked and then shut it down again.

A few weeks ago I was running the script, putting SonicWall Capture Advanced Threat Protection (ATP) through a rigorous test and I showed a few people, who showed a few other people, who thought it would be a good idea to show it to you guys.  The result of that is this video with an awesome introduction by my buddy Brook Chelmo, SonicWall Capture’s senior product marketing manager. Brook is great at explaining all the bits and pieces that make this work. Just watch the video and you’ll see what I mean.


In order for us to get the maximum number of malicious files, we turned off several safety mechanisms (e.g. botnet filtering) on the SonicWall next-gen firewall management console and ran a python script that pulled potential malware from a number of sites. The results were outstanding, and we identified a number of pieces of malware that were previously unknown to us and that would not have been caught without SonicWall Capture ATP.

Learn how SonicWall Capture ATP Service eliminates malware through the technology chain from the internet to the end-point. This is a security service you can purchase for your SonicWall next-gen firewall. Although most of the potential malware was stopped by SonicWall Gateway Anti-Virus (because it was known to us), a handful of malicious code was discovered by the SonicWall Capture ATP network sandbox.  The video above dives into the reports generated for malware discovered in sandbox pre-filtering, as well as SonicWall Capture ATP’s multi-engine processing.