We are seeing another outbreak of ransomware that appears to be a combination of previous other ransomware campaigns. As is always the case, criminal gangs learn from each other.
Petya was successful in 2016 using email attack campaigns and a ransomware-as-a-service business model. Wannacry introduced new worm propagation techniques proving highly successful in hitting thousands of systems in a short time span last month.
This latest ransomware attack appears to be a variant of Petya, called Goldeneye, which combines capabilities of both Petya and WannaCry, specifically the worm-like spreading by exploiting a Windows operating system vulnerability.
Vectra Threat Labs analyzed this latest ransomware to understand its inner workings. They learned that the way it infects computers is a combination of previously seen attacks, and the behaviors it performs are business as usual.
Because Goldeneye's worm-like spreading behaves similarly to WannaCry, Conficker and other forms of malware that Vectra has detected, our customers were already enabled to detect and respond to the attack in real time. This is a direct benefit of detecting the early signs of ransomware behaviors, such as reconnaissance and lateral movement inside the network, rather than specific exploits or malware.
The information below describes the Vectra detections related to Goldeneye and explains how enterprise can respond quickly to stop it from spreading.
- The latest ransomware behaves like the Petya ransomware family. It encrypts Master File Tree (MFT) tables and overwrites the Master Boot Record (MBR), dropping a ransom note and leaving victims unable to boot their computer. Most ransomware just disables file access. This ransomware, like Petya, does more damage by rebooting a system and disabling it.
- The new ransomware has worm propagation capabilities, exactly like last month’s WannaCry outbreak. It uses NSA exploits leaked by Shadow Brokers. It uses a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353), which targets a flaw in the Windows Server Message Block (SMB) service.
- A second method of propagation is modeled after advanced attacker use of stolen credentials and built in remote administration tools like PSExec.
- Attackers are demanding payment of a $300 ransom in bitcoins. When this blog was published, 31 organization have paid and that number is expected to rise.
Does Vectra detect the new variant of ransomware?
Yes. Vectra detects Goldeneye ransomware in your network. It is important to remember that before ransomware can encrypt files, it needs to locate file shares on the network. This requires performing internal reconnaissance and lateral movement.
Vectra detects reconnaissance behaviors and triages all detections associated with infected hosts. Host infected with ransomware represent a critical risk and these detections receive the highest threat and certainty scores to prioritize those hosts for immediate incident response.
The best part is, Vectra customers had this detection capability well before Goldeneye struck.
The Vectra Threat Labs and data science teams determined that infected hosts are likely to exhibit the following behaviors:
- Performing internal reconnaissance by sweeping host ports on the internal network on port 445 to find computers with the vulnerability MS17-010.
- Lateral movement by automated replication of malware when to computers that respond to the port sweep with vulnerability MS17-010.
- Suspicious Remote Execution detections will show use of the Service Control Manager UUID and connections to the psexecsvc SMB named pipe.
How can I improve the response to Goldeneye and its variants?
To speed-up and prioritize investigations, we recommend configuring email alerts specific to the Vectra detections related to Goldeneye and its variants.
Vectra found that giving high priority to activity on Port 445 provided early indicators of the Goldeneye attack:
- Outbound port sweep
- Port sweep
- Internal darknet scan
- Automated replication
- File share enumeration
- Suspicious Remote Execution
By scoring all attacker behavior detections for threat level and certainty, you can quickly prioritize hosts for incident response by selecting the thresholds for email alerts.
It is important to note that since GoldenEye only encrypts the master boot record of the local machine, a Ransomware File Activity detection is not expected.
How do I respond to a detected Goldeneye attack?
Vectra puts all the information at a security analyst’s fingertips to make an informed decision. If Vectra detects one or more Goldeneye attacker behaviors on a host, you can automatically trigger one of several actions, depending on the threat level and your internal policy.
Option 1: Quarantine or remove the infected host from the network. Goldeneye has viral or wormlike spreading tendencies, so isolating a host from the network is the quickest way to stop its spread.
Option 2: Quarantine all hosts listed as destination IP addresses in an automated replication detection if they were contacted by a host suspected of being infected by Goldeneye.
Option 3: Re-image infected hosts and restore files from an offline backup to avoid reinfection. In the case of a ransomware file activity detection, restore encrypted files on the file shares from an offline backup.
What happens next?
Patch your systems. Microsoft has issued patches for MS17-010, even for unsupported versions like Windows XP. Many other patches have been issued by software vendors for vulnerabilities released by Shadow Brokers. Organizations who implemented patches were spared from GoldenEye.
We mentioned in our previous coverage, we anticipate that many more ransomware attacks will occur. They will have different names and use different exploits. What won’t change is the nature of the attacks and their associated behavior.
While we don’t know when the next big attack will occur, you need to be ready for it. Ongoing advances in AI have allowed technology to augment the efforts of cybersecurity teams. And there must be a seismic shift in the cybersecurity industry to identify attacker behaviors fast and early.