A relatively young piece of ransomware called WanaCrypt0r began spreading rapidly around the world on May 12th. In the end, over 99 countries were hammered with the ransomware attack, including industries of all kinds, ultimately infecting over 75,000 machines.
How did this happen?
What made this piece of ransomware so prolific was being packaged as part of an exploit tool called ETERNALBLUE that leverages a known vulnerability in Windows that was patched in March as part of Windows Updates. This was an SMB vulnerability (MS17-010), which allowed malicious code to travel from system to system. Older Windows systems that are no longer supported would not have received a patch, and many supported systems were simply not updated. Delays caused by compatibility testing and limited resources often leave systems unpatched and at risk.
The exploit was delivered via email attachment. Once the exploit detonated, the worm spread the ransomware through RDP sessions and the SMB vulnerability referenced above. The worm does the work of spreading the ransomware to as many systems as possible, as fast as possible. The ransomware encrypts the target files and presents the ransom note to the victim. This MalwareBytes thread has a detailed analysis of the code and the executable.
The attackers charged up to $600 in bitcoin for the decryptor.
Multiple layers of Barracuda Advanced Threat Protection were detecting these executables early on, and Barracuda customers with an active Energize Updates subscription were protected from this exploit.
Jonathan Tanner, Barracuda Software Engineer and security blogger, offers this advice on defending against these attacks:
- Keep current on updates, especially on technologies that have a history of multiple vulnerabilities. Maintain active subscriptions on your anti-virus solutions, and subscribe to Energize Updates if you're a Barracuda customer;
- End-of-Life Operating Systems should be replaced as soon as possible. Operating systems that are beyond extended support should be removed from networks immediately, even if you can't replace it right away;
- We cannot overstate the importance of vigilance when it comes to email and email attachments. Email is the primary method of attack for almost everything. In this attack, one person opening the exploit could lead to the infection of all other vulnerable devices on the network;
- Shut down unused and unnecessary services on your systems. Every service is a potential attack surface;
- Deploy a powerful email security gateway to protect your users from these attacks. Barracuda offers 30-day free trials on email security appliances and services so you can try them out for yourself;
- Back up all of your data on a regular basis. Get a free trial of Barracuda Backup if you are looking for a comprehensive solution with flexible deployment options.
What did we learn?
A multi-layer security solution and a data protection strategy are critical components of cybersecurity, but it's never been more important to help your colleagues and company leadership understand the risk of cyberattack. This understanding, combined with ongoing training and awareness initiatives, will help your users protect themselves.
For information on how we can help protect your organization from this type of attack, visit the Barracuda ransomware solutions site at www.barracuda.com/ransomware.
Click here for our on-demand webinar on how to keep healthcare networks safe from ransomware.