Freely subscribe to our NEWSLETTER

The first attack, WannaCry, is a self-propagating worm, which leverages a known
and patched vulnerability in Microsoft Server Message Block (SMB). It leverages
an exploit called ETERNALBLUE and goes on to establish a backdoor known as
DOUBLEPULSAR to allow for future access to the infected systems. WannaCry
spreads by connecting to SMB services on local and Internet-facing systems with
the vulnerability or running the backdoor. The malware then spreads laterally
by attempting connections to all systems on the local network.

During its initial infection WannaCry checks whether an external domain
(killswitch domain) is available. If the killswitch domain can be contacted, the
encryption function does not run. The killswitch domains are not a command-and
– control server for the malware and should be monitored but not blocked. Before
May 12, the domains were not registered. Shortly after the attack started,
a malware researcher (http://money.cnn.com/2017/05/13/technology/hero-ransomware
– malwaretech-cyberattack/) registered and sinkholed the first domain. This
helped prevent a lot of later infections since the malware was able to resolve
the domain. If left to run normally, WannaCry will encrypt most files on a
machine. Once the files are encrypted, users will be prompted to pay $300 in
Bitcoin to get their files back. The cost goes up to $600 if a user takes too
long to pay, and eventually the user will be unable to pay to have files
returned. Note that Microsoft had issued a patch for the SMB vulnerability that
was being exploited in March 2017. That patch was not universally implemented.

While the world was preoccupied with WannaCry, there was another ransomware
attack in progress called Jaff. The Jaff ransomware was launched by Necurs, one
of the largest botnets in the world, notorious for spreading threats such as the
Locky ransomware and the Dridex banking Trojan. It sends misleading emails to
its victims encouraging them to open an attached PDF document. This document
asks for additional permissions when opened and if approved, allows the delivery
and execution of the ransomware payload. The emails used to deliver Jaff employ
standard spam techniques, but the exact details vary between each of the
concurrent campaigns.

Once Jaff has been downloaded and executed by the malicious document it connects
to its C2 servers to communicate that encryption of the victim’s files has
begun. Jaff then proceeds to encrypt the victim’s files, instructs the victim to
install Tor Browser, and directs the users to a specific web site that displays
a ransom note and payment instructions. The exact amount demanded by the ransom
varies over time, but currently averages around 2 Bitcoin (roughly $3,500
dollars).

Best Practice Recommendations:

In the face of these attacks, organizations in the Middle East are asking what
they can do.

· Implementing patches in a timely manner: WannaCry’s reliance on a known
vulnerability and network scanning indicates that some traditional defenses may
be effective. Ensuring timely software updates and keeping systems patched would
eliminate the vulnerability and the worm’s ability to spread through that
exploit.
· Sinkholing: Unlike the typical command-and-control domains, which should be
blocked, WannaCry used a killswitch domain which had to be resolved in order to
avoid activating the ransomware’s encryption function. One best practice is for
an enterprise to redirect its internal request for those domains to an internal
sinkhole. Permitting the infected client to successfully connect to the
killswitch domain will prevent the encryption function from completing. It will
also enable the enterprise to identify its internal hosts that have been
impacted by the malware.
· DNS Response Policy Zone (RPZ) capability: Using RPZ capability on the DNS
server to monitor any hits to the killswitch domain helps identify infected
clients.
· Using up-to-date threat intelligence: organizations should leverage up-to
– date and curated threat intelligence across their entire security and DNS
infrastructures to protect against malicious activity and DNS