Ransomware: A Persistent Scourge Requiring Corporate Action Now – June 2019

From:

threatpost


ASCO is the latest headline-making organization to be hit by ransomware, prompting many companies to consider what to do to minimize their risk.

A ransomware attack on Belgian airplane manufacturer ASCO this week is the latest in a string of incidents that show the unique danger lurking in this type of malware campaign. The rise of ransomware has cost companies millions to remediate – both in making payments and in system restoration and downtime – and should be prompting organizations of all sizes to take preventative measures.

ASCO, one of the world’s largest airplane suppliers, said this week that it shut down production in its factories in Canada, Germany and the U.S. after a ransomware infection crippled its plant in Zaventem, Belgium. About 1,000 of its 1,400 workers have been given leave for the week as the company works to remediate the issue, according to German media outlets. Whether ASCO has paid the ransom is unclear, but the impact on its operations is clearly severe. 

“Airplane manufacturer ASCO being hit by ransomware continues [the] trend of cybercriminals focusing their efforts on industry and manufacturing as their targets – recognizing the hugely costly and disruptive effect such a shutdown will have on the business,” said Shlomie Liberow, technical program manager at HackerOne, via email. “Public understanding of ransomware is on the rise, so if ASCO reacts quickly and in a way that keeps relevant stakeholders informed, hopefully it will see no lasting damage to reputation.”

According to Verizon’s 2019 Data Breach Investigations Report (DBIR), ransomware attacks are still going strong, accounting for nearly 24 percent of incidents where malware was used. And according to the FBI’s Internet Crime Report,  1,493 ransomware attacks, resulting in losses of $3.6 million, were reported in 2018. And that represents only those attacks that were reported to directly to the FBI.

Also, while ransomware attacks are on the rise, so too is the scope of the attacks. Chris Dawson, threat intelligence lead at Proofpoint, said that recent incidents point to threat actors attempting to take advantage of deeper pockets and higher stakes to demand much larger ransoms – as opposed to previous campaigns, targeting individuals, that demanded hundreds of dollars to unlock an individual PC.

This is exemplified in a string of high-profile ransomware attacks on large municipalities, manufacturers and other companies over the past year, of which the ASCO incident is a continuation. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000. Although Atlanta officials were vocal about not paying the ransom, the city ended up spending $2.6 million to recover. These expenditures covered incident response and digital forensics, additional staffing and Microsoft Cloud infrastructure expertise.

The city of Baltimore is another recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more. Like Atlanta, Baltimore officials refused to pay the $76,000 ransom – but ended up dishing out $18.2 million in restoration costs and lost revenue.

And in one of the most high-profile cases, Norsk Hydro fell victim in March to a serious ransomware attack that forced it to shut down or isolate several plants and send several more into manual mode. The attack ultimately cost the aluminum giant $40 million.

“The RobbinHood attack on the city of Baltimore fits with a theme that we’ve observed as ransomware in the malicious email space has largely dried up,” Dawson said in an email. “Instead of targeting individuals in high-volume email campaigns as we saw frequently in 2016 and 2017, threat actors are now using ransomware in targeted attacks against key targets for much larger ransoms. As with Norsk Hydro and other targeted organizations, it appears that threat actors make use of existing network and endpoint compromises to then load ransomware on vulnerable devices.”

That said, of course, in addition to these, plenty of non-household names are hit every day, too.

A ransomware attack will be costly and damaging, no matter the organization’s size: According to a SentinelOne report, the average cost of a ransomware attack is more than $900,000. This includes the ransom itself, downtime and lost productivity, remediation, legal costs and more.

“Businesses face numerous cyberthreats from hackers, but ransomware is particularly insidious and common,” Daniel Markuson, a digital privacy expert at NordVPN, told Threatpost. “When ransomware infects a server, it quickly spreads to encrypt all of the files on that server. Obviously, this can be disastrous for a business – all of its payroll, customer information, contracts and trade secrets all rendered inaccessible. Once it’s deployed, the hacker simply demands a ransom from the company before unlocking their files. That’s only if they’re honest, however.”

Regarding whether to pay, many organizations find themselves in a dilemma when hit by ransomware. The choice is often either to pay the ransom and hope the cyberattackers keep their word and deliver the decryption keys, or to pay a cybersecurity firm to perform remediation and cleanup, which can cost more than the actual ransom. The latter path is more ethical, avoiding sending money into criminal pockets. But the choice “to pay, or not to pay?” can be hard.

“It’s easy to say that companies should never pay, but it’s also quite unrealistic,” said Brett Callow, spokesperson for Emsisoft, in an interview with Threatpost. “The reality is that making payment may be the only option that will enable a company to become operational again within a reasonable period of time. It’s very much a case of ethics versus business necessity.”

He added, “it may be the only recovery option available. Second, some companies may believe that payment is the fastest route to becoming operational again. Third, in some instances, they may believe that making payment will enable them to avoid the matter coming to the attention of the public and their shareholders.”

Although some decryptor tools are available, remediation firms themselves often have no options to give their customers, if those customers haven’t fully backed up their data, according to at least one researcher.

“I have no doubt that there are many firms out there that offer ‘sophisticated tools and tactics’ to decrypt victims files for a hefty fee,” Tyler Moffitt, security analyst at Webroot, said by email. “It also doesn’t surprise me that the majority of the time all these firms do is pay the ransom and then charge the victim a premium. This is pretty much the only chance that these assistance firms would be able to actually retrieve files. Retrieving them without paying the ransom is very rare and again only available when criminals make mistakes, so for the most part getting these encryption keys is impossible without paying the ransom and dealing with the criminals directly.”

Ransomware can also have devastating effects on reputation, in addition to the hard costs associated with an attack. That’s something that payment won’t fix, but being transparent about what’s happened and why can go a long way to softening this particular blow, according to HackerOne’s Liberow.

For example, Norsk Hydro admitted the gritty details, such as the fact that it had to close down operations in several locations, and the fact that the incident cost it at least $40 million in the first week.

“Norsk showed the world that while ransomware is costly and devastating in the moment, it doesn’t have to have a lasting effect on reputation as the open and transparent way Norsk dealt with the attack resulted in a rise in share price,” Liberow noted.

Interestingly, Radiohead’s recent response to a ransomware attack  which involved releasing a trove of 18 previously unheard outtakes from their album “OK, Computer” rather than pay a $150,000 ransom demand  demonstrates the positive brand power of a non-negotiation philosophy in the face of cybercriminals, according to Peter Groucutt, managing director of Databarracks; it thwarted the criminals’ efforts while bringing good publicity.

“Releasing a collection of unheard songs, demos and outtakes, while unconventional, was a PR masterstroke by Radiohead,” Groucutt said. “This obviously isn’t a viable tactic for most businesses dealing with a ransomware attack, but we can learn from Radiohead’s defiance.”

The best approach to ransomware is to take your company off the target list. Basic security hygiene is the first step.

“Difficult as it may seem to prevent these attacks, when it comes to ransomware, prevention is always better than cure,” Liberow said. “This means ensuring all systems are up to date with the latest patches and that there are no security vulnerabilities or weaknesses which could leave an organization exposed to attackers.”

Another crucial aspect of preparing for an attack is simply to make sure you have an extra copy of your files available.

“To reduce the damage of any potential ransomware attacks, keep periodic secure backups of your data,” Markuson said. “This means that if a hacker breaks in and infects your business with ransomware, you can ignore their demands and rebuild your systems with the backed-up data (however, don’t forget that they may also have copied some of your data for themselves).”

The sheer pervasiveness of the ransomware scourge should be pushing all companies to invest in backups, Groucutt added.

“Given that ransomware attacks are becoming increasingly commonplace, there’s no excuse to be unprepared,” he said. “Agreeing to pay a ransom demand isn’t conducive to long-term security, and emboldens cybercriminals to continue to use this method. There is also a risk of looking like an easy target, potentially inviting further attacks.”

Lindsey O’Donnell also contributed to this report.

D-Synergy reposted 17th June 2019

NSA Warns Microsoft Windows Users: Update Now Or Face ‘Devastating Damage’

 

 

From Forbe.com Jun 7, 2019, 05:19am
Contributor

I can’t recall ever seeing the U.S. National Security Agency (NSA) jumping in and warning users of Microsoft Windows to check if their systems are fully patched and, if not, to update now or risk a “devastating” and “wide-ranging impact.” But that’s what has just happened.

In an advisory published this week, the NSA has urged “Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threat.” That threat being BlueKeep, which has already been the focus of multiple “update now” warnings from Microsoft itself.

The NSA warning comes off the back of research that revealed just under one million internet-facing machines are still vulnerable to BlueKeep on port 3389, used by the Microsoft Remote Desktop feature, with nobody knows how many devices at risk within the internal networks beyond. The potential is certainly there for this threat, if exploited, to be on the scale of WannaCry.

It’s hard to know exactly why the NSA has decided to issue this advisory now, especially as it hasn’t gone through the more usual U.S.-Computer Emergency Readiness Team (CERT) channel. “I suspect that they may have classified information about actor(s) who might target critical infrastructure with this exploit,” Ian Thornton-Trump, head of security at AmTrust International, told me, “that critical infrastructure is largely made up of the XP, 2K3 family.” This makes sense as although Windows 8 and Windows 10 users are not impacted by this vulnerability, Windows Server 2008, Windows Server 2003, Windows 7, Windows XP and Windows Vista all are.

John Opdenakker, an ethical hacker, agrees that it could well indicate the NSA is in possession of further threat intelligence regarding the BlueKeep threat. “If it’s actively being exploited, then I kind of understand why they would do it,” Opdenakker told me, adding, “it’s certainly not being exploited at scale though, otherwise we would have heard about it already.” The latter point being the important one as far as the “normal user” is concerned, in my opinion. There is little denying that, as Thornton-Trump puts it, “governments are more or less the ultimate authority; vetting, testing and intelligence all has to be assembled and internally red-teamed before an estimate of risk can be assigned.” Which leads to a time lag as intelligence agencies react to the dynamic nature of such exploit disclosures.

.end of article.

D-Synergy

We recommend all our customers to update all their Microsoft Windows installations for all their desktops and servers.  – June 2019

D-Synergy Tech Systems Pte Ltd New Address & Contacts Info

To All Customers & Partners

Please note our new office address and contact info as of May 2018 :

Singapore Corporate Office
D-Synergy Tech Systems Pte Ltd
67 Ubi Crescent, #05-09 , Techniques Centre
Singapore 408560
p: +65 69500600

Sales Enquiries : sales@d-synergy.com

General technical support : support@d-synergy.com

Feedback : feedback@d-synergy.com

Fortinet – Critical Update: WannaCry Ransomware

re-post from Fortinet Blog 2017

Critical Update: WannaCry Ransomware

by RSS Aamir Lakhani  |  May 15, 2017  |  Filed in: Security Research

On May 12th, 2017 the ransomware WannaCry disrupted hundreds of organizations in dozens of countries. The ransomware encrypts personal and critical documents and files and demands approximately $300 USD in BitCoin currency for the victim to unlock their files.

It is important to note that Fortinet solutions successfully block this attack.

1. FortiGate IPS plugs the exploit

2. FortiSandbox detects the malicious behavior

3. Our AV engine detects the malware along with variants

4. Our Web filter identifies targeted sites and appropriately blocks or allows them

5. The FortiGate ISFW stops the spread of the malware

The worm-like behavior exhibited by this malware is due to an active probe for SMBv1 server port 445 on the local LAN searching for the presence of the Backdoor.Double.Pulsar. If the backdoor is present, the payload is delivered and executed through this channel. If not, a slightly less reliable exploitation route is taken.

For this reason, we are recommending that organizations (for now) block port 445 from the internet, or further, use NGFW capabilities to block the SMB protocol itself from the internet.

The malware is modular. This means that because it could grant the malicious actor super-user privileges on the infected device it would allow them to download additional malware and spoof URLs. In one case Fortinet observed, the malware first took advantage of vulnerability CVE-2017-0144 to gain access to the system. After that, a dropper was used to download ransomware that encrypts the files.

This vulnerability occurs because of an integer overflow when parsing a malformed Trans2 Request in the SMBv1 Server. Successful exploitation leads to code being executed in the context of the application. There is no need for authentication for this to be exploited, which has been key to the rapid onset of the outbreak in local area networks.

Backdoor.Double.Pulsar

If the malware senses that a system has the Backdoor.Double.Pulsar installed, it will try to download and execute the payload using this method. Interestingly, in some samples we analyzed we discovered an unused flag to disable the DoublePulsar.

The malware is encrypted inside a dropper for a DLL encrypted with an AES key. Once executed, the malware drops a file named “t.wry.” The malware then uses the embedded AES key to decrypt the DLL that, once in memory, is loaded into the parent process, thereby never exposing the malware to disk. This is a feature that evades some AV engines.

There is support for 179 filetypes, and a key is generated for each file.

On Saturday, May 13th, a security researcher discovered the kill-switch for this malware. It was a DNS check on a domain name that at the time was unregistered. Once registered, the malware perceived that the domain was alive and the infection was halted.

Outbound TOR

The malware downloads a TOR client and starts to communicate to C&C servers via TOR protocol. We recommended that you block outbound TOR traffic. You can accomplish this on FortiGate devices by using the AppControl signatures.

You do this by going to security profiles, application control, and selecting add signature under “Application Overrides.”

 

Then add the Tor protocol:

You can now see it is being blocked

Make sure you use your application policy in a firewall policy to ensure it is activated.

Inbound TOR

Although, not necessarily needed, you might want to also consider blocking incoming traffic originating from the TOR network. Incoming traffic originating from the TOR network looks like any other Internet traffic. However, the origination point occurs on TOR exit nodes. A list of well-known exit nodes is listed and updated in the Fortinet Internet Service Database. You can use this pre-built list in a firewall policy.

 

If the malware is allowed to communicate, it will try to connect to several malicious domains. The Fortinet web filtering engine categorizes these known domains as malicious, and if configured correctly should block these domains as part of your firewall policies.

Kill Switch

The malware stops if it finds that the domain “www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” exists. While this domain originally did not exist, it does now as a malware researcher in the UK has registered it.

Note: Organizations that use proxies will not benefit from the kill switch. The malware is not proxy-aware, so it will not be able to connect to the kill-switch domain, and thus the malware will not be stopped.

For the kill switch to work the malware must be able to communicate with the kill switch domain. As it is in the best interest of having every opportunity to stop the malware, Fortinet has decided to not categorize the kill switch domain as malicious. However, reports as of May 14th, 2017 identified a version of the malware that bypasses the kill switch, making this an ineffective means of mitigation.

In fact, the kill switch now appears to be obsolete, as the attack is still ongoing and samples from these new waves include different domain names, or some don’t include a domain name kill switch at all.

Fortinet Protections to date

FortiGuard Labs is actively working with our CTA partners to share threat intelligence and ensure that all organizations have accurate information in order to ensure they are protected from this active threat.

Fortinet provides two primary IPS signatures to detect against the attack. They are:

MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution

(released March 14th, 2017, updated May 10th, 2017)

Backdoor.Double.Pulsar

(released February 27th, 2017, updated May 1st, 2017)

Anti-Malware

Fortinet Anti-Malware/Anti-Virus engines have smart signatures enabled to detect the malware, along with behavior-based models to detect possible new variants.

The AV signatures are:

W32/Agent.AAPW!tr

W32/CVE_2017_0147.A!tr

W32/Farfli.ATVE!tr.bdr

W32/Filecoder_WannaCryptor.B!tr

W32/Filecoder_WannaCryptor.D!tr

W32/Gen.DKT!tr

W32/Gen.DLG!tr

W32/GenKryptik.1C25!tr

W32/Generic.AC.3EF991!tr

W32/Scatter.B!tr

W32/Wanna.A!tr

W32/Wanna.D!tr

W32/WannaCryptor.B!tr

W32/WannaCryptor.D!tr

W32/Zapchast.D!tr

Please note, some AV signatures require FortiGate devices to be configured using the extended antivirus definitions. In your FortiGate device you will want to select system, FortiGuard, and then enable extended AV and Extended IPS if available. Don’t worry if it is not. Many of our devices use this as the default option.

If the malware is allowed to execute, the malware will run the command icacls . /grant Everyone:F /T /C /Q  ,which gives full permissions to all files and folders where the malware is stored. Additionally, the malware clears windows shadow copies, disables Windows startup recovery, and clears the Windows Server Backup history.

After that, the encryptor will execute and make the files inaccessible. Once the ransomware executes, users get a similar warning message to the one shown below.

The ransomware will also drop a file named !Please Read Me!.txt with further instructions. The name of the file may change slightly with each infection.

The quick and easy money opportunity provided by ransomware makes it easy to see why it remains extremely profitable for attackers. How many users are paying the ransom? It is difficult to tell, because malware authors use multiple Bitcoin wallets to hide their tracks and are continuously transferring Bitcoins to and from these wallets.

Once infected, victims can try and recover their files through backups or other methods or pay the ransom. Below are links to three blockchain sites that gives some indication of the ransoms that have been collected. At the time of writing, the value of 1 Bitcoin equivalent to $1,784.90.

 

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Total Received: 9.41458497 BTC

 

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Total Received: 5.17934856 BTC

 

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Total Received: 7.1629281 BTC

 

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Total Received: 1.09469717 BTC

 

With just these three wallets linked to Wannacry, the ransomware has collected over $38, 833.82 USD from victims.

 

Finding the Malware

The Fortinet security fabric can greatly assist organizations in tracking down this malware and understanding where it may have infected the organization.

 

IOCs:

 

Observed C&C IPs

188[.]166[.]23[.]127:443

193[.]23[.]244[.]244:443

2[.]3[.]69[.]209:9001

146[.]0[.]32[.]144:9001

50[.]7[.]161[.]218:9001

217.79.179[.]77

128.31.0[.]39

213.61.66[.]116

212.47.232[.]237

81.30.158[.]223

79.172.193[.]32

89.45.235[.]21

38.229.72[.]16

188.138.33[.]220

 

Observed hash values SHA-256

0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7
7108d6793a003695ee8107401cfb17af305fa82ff6c16b7a5db45f15e5c9e12d
76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
7e369022da51937781b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13
9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740
aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c
b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7
b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb
f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack

Re-posted from SonicWall Blog

WannaCry Ransomware

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.

Resources

VISIT SONICWALL

Some Things Will Remain Unchanged

At the forefront of South East Asia’s blooming internet security and networking market, D-Synergy has remained one of the fastest-growing value-added distributors of cutting edge internet security and networking technology, satisfying customers with its attractive products as well as a sound business continuation policy.

The road to modern success however, was not easy. Managing Director Doreen Sim began her entrepreneur journey way back before her company’s establishment, where she worked multiple part-time jobs to gather enough money to pay for her university education and other expenses. Then in 1998, fresh out of university and armed with a degree in political science, Doreen plunged headfirst into the emergent ICT industry, despite having no prior engineering training or IT experience. She had to both cope with quickly learning the ropes of this challenging industry while trying to formulate and then execute a realistic business survival program.

[Read more…]

除夕不巧落在星期天 多数公司明天节前不“早放”

Zaobao (2012-01-19)

中小型企业商会会长曾宗敏表示,一些企业到了农历新年前几天是最忙碌的时候,农历新年前还有个周末,相信不少企业会趁这两天赶工,因此明天不提早收工是意料中事。

根据以往惯例,到了大年除夕,企业会在中午过后收工,让员工早点下班为年夜饭做准备。不过今年,除夕“不巧”落在多数人无需上班的星期日,而多数受访企业表示,不会在明天(20日),也就是农历新年前的最后一个工作日提早休息,不少员工因此少了半天有薪假期。

本报向10家不同领域的企业查询,明天是否会提早让员工休息,结果发现,有六家不会这么做,只有三家会,最后一家则表示会等到明天早上才决定。

[Read more…]

Security for SMEs

BUSINESSES MUST KEEP UP WITH THE AWARENESS AND RISK OF INTERNET SECURITY
The Internet has changed the world in which SMEs operate and grow their businesses. Infocomm Technology (ICT) and the Internet have become powerful platforms and an eco-system where SMEs can find solutions and opportunities to expend their business. However, the digital transformation brings along security threats and vulnerabilities that SMEs must be aware of.

Today, SMEs must understand that security threats are endless and they compromise business information and employees’ productivity. So are SMEs protecting themselves adequately? Do they know where to begin with in their ICT adoption exercise?

[Read more…]

餐饮业者聘请清洁工 费用涨到每人3000元

外劳政策收紧后,通过二手承包商聘请清洁工的餐饮业者每月花在每名清洁工身上的费用从原本的1800元左右,飙升到近3000元。

经营“日本村”和Sakura日本自助餐馆的Suki集团董事王世威透露,过去三四个月,提供清洁工人的二手承包商的外劳配额减少了,但不断扩充的餐 饮业对清洁工的需求不减,以致业者在聘请清洁工时,所需缴付的费用从每月的1800到2000元左右,上扬到2800至3000元之间。

在人手成本持续上涨的压力下,Suki集团三个月前着手开发中央洗碗中心;尽管这是一项上百万元的投资,但王世威相信,这将减少集团对人手的依赖,长远来说有助于控制集团的员工成本。 [Read more…]

Colubris WLAN Equipment to Power Municipal Wi-Fi in Kuala Lumpur

Colubris Wireless Network Supports Ambitious Wireless@KL Plan to Transform Kuala Lumpur into a Wireless City

Waltham, Mass. – August 18, 2008 – Colubris Networks, Inc., the leading global provider of intelligent wireless LANs for enterprises and service providers, today announced that Kuala Lumpur, Malaysia’s federal capital, has begun a phased deployment of Colubris WLAN equipment to enable wireless computing across the city’s commercial, residential and public areas. Wireless@KL joins similar municipal projects in Paris, Singapore and Luzern that have recently deployed public Wi-Fi networks based on Colubris gear. D-Synergy is the appointed wireless partner to roll out Colubris wireless LAN equipment for this project.

[Read more…]