
After this podcast was posted, new variants of Locky (Diablo and Lukitus) surfaced from a ransomware family presumed by many to be dead. Rising to infamy as one of the first major forms of ransomware to achieve global success, Locky’s presence eventually faded. However, it appears this notorious attack is back with distribution through the Necurs botnet, one of the largest botnets in use today.
Webroot first detected Diablo on August 9, 2017, and Lukitus on August 16. Since then, Webroot has seen activity hitting Windows XP, Windows 7, and Windows 10 machines in the United States, United Kingdom, Italy, Sweden, China, Botswana, Russia, Netherlands, and Latvia.
Although Webroot will stop this specific variant of Ransomware as a Service in real time—before any encryption takes place—don’t forget that the best protection in your anti-ransomware arsenal is a strong secure backup.
Podcast Recap: Analyzing the Attacks
Observes Moffitt, “We’ve seen that ransomware is now disrupting infrastructure. Ukraine was the biggest target of the Petya attack, it was pretty clear that attack was aimed at doing as much damage as possible to Ukrainian infrastructure. It was under the guise of ransomware, but its goal was not to make money.”Another example of the changing ransomware landscape: while once phishing was the preferred method for getting ransomware into computers, WannaCry leveraged exploit kits (EternalBlue and EternalRomance, specifically) that were originally created by the National Security Agency (NSA). Moffitt explains, “These exploits allowed WannaCry to spread, not through phishing, but through SMB, the server message block which is employed in Windows XP and up. SMB is utilized in pretty much every large-scale corporation for a variety of things.”Continues Moffitt, “WannaCry was strictly through SMB, so it was started through SMB and spread only through SMB. There was no phishing or anybody clicking anything. That was the thing that was so scary, you didn’t even need to click on something. And it hit computers not previously susceptible; your network could have a bunch of computers with no external connection, no link to the Internet. They were only connected to your local network, but they were hit because one computer on that network was connected to the Internet, and they were all using SMB, and so WannaCry was able to spread like a worm into all of them.”Moffitt went on to note that this was how the UK’s National Health Service was hit, resulting in the shutdown of a wide variety of equipment, including blood test machines, MRIs, lasers, scanners, X-rays and other medical devices.As noted earlier, Petya was another ransomware attack that yielded devastating results, though as Moffitt details, it took a different approach: “Petya originally started as a bad update through the Ukrainian tax software M.E.Doc, which virtually every business in Ukraine uses. It’s very clear that Petya was meant to target everything in Ukraine. While it did hit machines in Europe, China and other places, including the USA, it was only businesses that have operations in Ukraine that were affected. It all stemmed from Ukraine.”Petya's Total Cost: $500 Million
Based on the estimated losses suffered by Petya victims like FedEx, Maersk (the largest shipping container vessel company in the world), British consumer good manufacturer Reckitt Benckiser and others, Moffitt suspects that total damages inflicted by Petya could reach as high as $500 million. (The reluctance of companies to disclose dollar amounts for losses makes estimates difficult.)When interviewer Pereira asked Moffitt to list key takeaway lessons from the WannaCry and Petya ransomware attacks, he offered several:- Ransomware can now hit many more computers than were previously thought vulnerable; computers without Internet connections are not safe.
- Other NSA exploits are likely being used that may eventually be discovered and utilized by cybercriminals; in short, this is only the beginning of many new attacks to come.
- Patching and updating your clients’ systems is more serious than ever; a Microsoft update released months earlier enabled some companies to stymie the WannaCry attacks.
- Ransomware has evolved to where it is no longer only after the money; it can deal serious infrastructure damage that yields massive disruptions throughout the rest of the world.