MSSP Advisory: Latest Ransomware Threats Demand Multi-Layer Protection

Webroot’s Tyler Moffitt
Webroot's Tyler Moffitt

While managed security services providers (MSSPs) have been acutely aware of the growing menace ransomware poses to their customers, recent WannaCry and Petya ransomware attacks have delivered a sobering wake-up call to security professionals on how damaging and widespread these latest ransomware threats can be.

In a thoughtful podcast discussion with IT channel expert Pedro Pereira, Webroot senior threat research analyst Tyler Moffitt detailed the evolution of ransomware, and why it seems to have become more dangerous and capable of doing far more damage than MSSPs witnessed in ransomware’s infancy.

Here's some related late breaking news, and then a recap of the podcast...

Late-breaking News:

After this podcast was posted, new variants of Locky (Diablo and Lukitus) surfaced from a ransomware family presumed by many to be dead. Rising to infamy as one of the first major forms of ransomware to achieve global success, Locky’s presence eventually faded. However, it appears this notorious attack is back with distribution through the Necurs botnet, one of the largest botnets in use today.

Webroot first detected Diablo on August 9, 2017, and Lukitus on August 16. Since then, Webroot has seen activity hitting Windows XP, Windows 7, and Windows 10 machines in the United States, United Kingdom, Italy, Sweden, China, Botswana, Russia, Netherlands, and Latvia.

Although Webroot will stop this specific variant of Ransomware as a Service in real time—before any encryption takes place—don’t forget that the best protection in your anti-ransomware arsenal is a strong secure backup.

Podcast Recap: Analyzing the Attacks

Observes Moffitt, “We’ve seen that ransomware is now disrupting infrastructure. Ukraine was the biggest target of the Petya attack, it was pretty clear that attack was aimed at doing as much damage as possible to Ukrainian infrastructure. It was under the guise of ransomware, but its goal was not to make money.”

Another example of the changing ransomware landscape: while once phishing was the preferred method for getting ransomware into computers, WannaCry leveraged exploit kits (EternalBlue and EternalRomance, specifically) that were originally created by the National Security Agency (NSA). Moffitt explains, “These exploits allowed WannaCry to spread, not through phishing, but through SMB, the server message block which is employed in Windows XP and up. SMB is utilized in pretty much every large-scale corporation for a variety of things.”

Continues Moffitt, “WannaCry was strictly through SMB, so it was started through SMB and spread only through SMB. There was no phishing or anybody clicking anything. That was the thing that was so scary, you didn’t even need to click on something. And it hit computers not previously susceptible; your network could have a bunch of computers with no external connection, no link to the Internet. They were only connected to your local network, but they were hit because one computer on that network was connected to the Internet, and they were all using SMB, and so WannaCry was able to spread like a worm into all of them.”

Moffitt went on to note that this was how the UK’s National Health Service was hit, resulting in the shutdown of a wide variety of equipment, including blood test machines, MRIs, lasers, scanners, X-rays and other medical devices.

As noted earlier, Petya was another ransomware attack that yielded devastating results, though as Moffitt details, it took a different approach: “Petya originally started as a bad update through the Ukrainian tax software M.E.Doc, which virtually every business in Ukraine uses. It’s very clear that Petya was meant to target everything in Ukraine. While it did hit machines in Europe, China and other places, including the USA, it was only businesses that have operations in Ukraine that were affected. It all stemmed from Ukraine.”

Petya's Total Cost: $500 Million

Based on the estimated losses suffered by Petya victims like FedEx, Maersk (the largest shipping container vessel company in the world), British consumer good manufacturer Reckitt Benckiser and others, Moffitt suspects that total damages inflicted by Petya could reach as high as $500 million. (The reluctance of companies to disclose dollar amounts for losses makes estimates difficult.)

When interviewer Pereira asked Moffitt to list key takeaway lessons from the WannaCry and Petya ransomware attacks, he offered several:

  • Ransomware can now hit many more computers than were previously thought vulnerable; computers without Internet connections are not safe.
  • Other NSA exploits are likely being used that may eventually be discovered and utilized by cybercriminals; in short, this is only the beginning of many new attacks to come.
  • Patching and updating your clients’ systems is more serious than ever; a Microsoft update released months earlier enabled some companies to stymie the WannaCry attacks.
  • Ransomware has evolved to where it is no longer only after the money; it can deal serious infrastructure damage that yields massive disruptions throughout the rest of the world.

Fighting Ransomware: Two Key Steps MSSPs & MSPs Can Take

Pereira and Moffitt concluded their conversation by touching on two key steps MSSPs and MSPs can take to protect their clients from these new ransomware attacks. “Make sure they’re aware of the threat, how it’s spread,” advises Moffitt. “Ultimately, it’s not too complex, these samples were relatively simple though they used very powerful exploits. Try to explain, ‘If you keep your systems up to date and patched, you’re reducing the surface area of exposure.’

“In addition to that,” Moffitt continues, “you need to have multi-layered security that’s going to protect against all the different types of vectors. As we’re seeing with these new exploits and attacks via software update bugs, there are different vectors being used to start attacks. Not just through phishing, but also through exploits or through drive-by downloads.”

Guest blog courtesy of Webroot. Read more Webroot guest blogs here.