Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Fast-Moving GoldenEye Ransomware Highlights Importance of Eliminating Network Blind Spots

July 2017 by Mohammed Al-Moneer, Regional Director, MENA at A10 Networks

wave of ransomware swept across Europe at an incredibly rapid pace, grinding
business to a halt at banks, airports, pharmaceutical companies, government
offices, service providers, utilities and more, security researchers said.

Dubbed GoldenEye (https://labs.bitdefender.com/2017/06/massive-goldeneye
 ransomware-campaign-slams-worldwide-users/), a new variant of the
Petrwrap/Petya ransomware, this attack is sneaking past traditional security
defenses - according to The Hacker News (http://thehackernews.com/2017/06/petya
 ransomware-attack.html), only 13 out of 61 anti-virus services are successfully
detecting it - to load malware onto victims’ Windows machines and hold files for
ransom unless the attackers are paid $300 in bitcoin.

Though the initial infection vector of the ransomware is currently unknown,
researchers said it leverages
the EternalBlue (https://en.wikipedia.org/wiki/EternalBlue) exploit to spread
from one computer to another over the Microsoft Windows SMB protocol.

Researchers said that this new bit of ransomware is similar in many ways
to WannaCry (https://www.a10networks.com/node/12501), which in May ensnared more
than 200,000 machines in more than 150 countries to hold files for ransom and
also spread via the EternalBlue exploit.

One striking difference between WannaCry and GoldenEye is how the two ransomware
attacks use encryption.

WannaCry encrypted the infected files, while GoldenEye has two distinct layers
of encryption: one that encrypts the files, and another that encrypts an
infected machine’s entire file
system, Bitdefender (https://labs.bitdefender.com/2017/06/massive-goldeneye
 ransomware-campaign-slams-worldwide-users/) wrote.

"Just like Petya, it is particularly dangerous because it doesn’t only encrypt
files, it also encrypts the hard drive as well," Bogdan Botezatu, a senior
threat analyst with Bitdefender,
told CNET (https://www.cnet.com/news/unprecedented-cyberattack-hits-businesses
 across-europe/?ftag=COS-05-10aaa0b&linkId=39152397).

A tweet from a Kaspersky Lab
researcher (https://twitter.com/craiu/status/879692523102511104) indicates that
Kaspersky recovered a sample of the malware on June 18, suggesting it has been
in the wild and infecting machines for more than a week.

Knowing What’s on Your Network

As GoldenEye quickly spread throughout Europe Tuesday morning and afternoon,
researchers worked to uncover the initial infection vector and determine the
source.

While the source of the infection is still unclear, that it went unnoticed for
more than a week is a strong reminder of the importance of understanding what
type of traffic is on your network.

Ransomware is sometimes spread via encrypted email messages containing Word and
Excel files as attachments. This reinforces the need to decrypt and inspect
Webmail and other secure email protocols to ensure attachments do not contain
ransomware.

It’s also possible that GoldenEye infected machines through the use of nefarious
encrypted traffic and went undetected.

According to A10 Networks customers, roughly 75 percent of their traffic is
encrypted.

Yet at the Gartner Security and Risk Management
Summit (https://www.a10networks.com/node/16096) earlier this month, Gartner
analysts said that by 2020, more than 60 percent of organizations will fail to
properly decrypt traffic (https://www.a10networks.com/node/6786) and miss most
targeted web malware.

Encrypted traffic has become the biggest network blind
spot, and enterprises need solutions
that break and inspect encrypted traffic to uncover potential malware before
it’s too late.

Failing to decrypt encrypted traffic in real-time for your security stack to
analyze could be inviting ransomware or other malware onto your network.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts