Threat Brief: Petya Ransomware, A Global Attack

 
A worldwide attack erupted on June 27 with a high concentration of hits in Ukraine - including the Ukrainian central bank, government offices and private companies. The attack is distributing what seems to be a variant of Petya, an MBR ransomware. While the source of the attack has yet to be determined, many researchers suggest that M.E.Doc, a Ukrainian accounting software provider, was compromised and its systems abused to distribute the attack via its software update mechanism. M.E.Doc is a popular service in Ukraine, the malware’s top targeted country; in May the company was also suspected of involvement in the distribution of another ransomware, known as XData. So far, ...

May’s Most Wanted Malware: Fireball and Wannacry Impact More Than 1 in 4 Organizations Globally

 
Check Point’s latest Global Threat Impact Index revealed more than one in four organizations globally was affected by the Fireball or Wannacry attacks during May-- in the company’s latest Global Threat Impact Index.   The top three malware families that impacted networks globally were zero-day, previously unseen attacks.  Fireball impacted one in five organizations worldwide, with second-placed RoughTed impacting 16% and third-placed WannaCry affecting nearly 8% of organizations globally.   The most prevalent malware highlight cyber-criminals are utilizing and impacting all stages of the infection chain with a wide range of attack vectors and targets.  Fireball ...

Check Point Reveals Global WannaCry Ransomware Infection Map at CPX Europe 2017

 
Check Point researchers have been investigating the ransomware campaign in detail since it was first reported. With a new Check Point WannaCry Ransomware Infection Map, the researchers were able to track 34,300 attack attempts in 97 countries. The average pace as of today is one attempt in every three second – indicating a slight decline since the original pace registered two days ago, of one attempt per second. The top country from where attack attempts were registered is India, followed by the USA and Russia.   Maya Horowitz, Threat Intelligence Group Manager at Check Point said, “Although we see it slightly slowing down, WannaCry still spreads fast, targeting organizations ...

CRYING IS FUTILE: SandBlast Forensic Analysis of WannaCry

 
Using the NSA exploit EternalBlue released by the Shadow Brokers, the WannaCry ransomware developers have added their names to malware lore. Given the number of institutions hit and the amount of media generated, it seemed appropriate to show what the ransomware actually does on a system through our SandBlast Agent Forensics product. The WannaCry outbreak has been a good test case for the recently launched SandBlast Anti-Ransomware. AR and Forensics work together as part of our SandBlast Agent product. As we had expected, Anti-Ransomware was up to the task and has successfully blocked all WannaCry samples we’ve thrown at it, without requiring any signatures or updates. For this ...

WannaCry – New Kill-Switch, New Sinkhole

 
Check Point Threat Intelligence and Research team has just registered a brand new kill-switch domain used by a fresh sample of the WannaCry Ransomware. In the last few hours we witnessed a stunning hit rate of 1 connection per second. Registering the domain activated the kill-switch, and these thousands of to-be victims are safe from the ransomware’s damage. Our research shows that the kill-switch works the same as in earlier versions, and the rest of the code is similar to the older versions. New kill-switch: ...

WannaCry – Paid Time Off?

 
Let us open with a TL;DR – DO NOT pay the ransom demanded by the WannaCry ransomware! Now, let us explain why: As of this writing , the 3 bitcoin accounts associated with the WannaCry ransomware have accumulated more than $33,000 between them. Despite that, not a single case has been reported of anyone receiving their files back. The decryption process itself is problematic, to say the least. Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on ...

Global Outbreak of WannaCry

 
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks.  To complicate matters there are a number of different campaigns ongoing so identifying specific infection vectors has been a challenge. For WannaCry the infection vector appears to be direct infection utilizing SMB as delivery method. Samples have been identified by Check Point Research Teams that contain variant “killswitch” domains and bitcoin addresses. All tested samples have been detected and ...

JAFF – A New Ransomware is in town, and it’s widely spread by the infamous Necurs Botnet

 
Necurs, one of the largest botnets, went offline during the holiday period of 2016 and through the beginning of 2017. However it returned only to shortly peak late in April, spreading Locky using malicious PDF documents. Today, May 11, Necurs started spreading a new ransomware called JAFF. Check Point’s global sensors have spotted as many as 40,000 emails in the last few hours, at an infection rate of approximately 10,000 emails sent per hour. Image 1: The JAFF ransomware ransom note (courtesy of MalwareHunterTeam)   Necurs has the reputation for being one of the 'best' malware distributors. In the past, it helped Locky and Dridex reach millions of victims, making them ...

DiamondFox modular malware – a one-stop shop

 
Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For the full DiamondFox report click here. Check Point Threat Intelligence teams constantly track the latest attack trends, campaigns and attack methods to maintain an up-to-date and  accurate view of the cyber threat landscape. In recent years, an effective new business method has penetrated the thriving malware and attack tools market and led to the establishment ...

The Unbearable Lightness of Operating Web-Based Attacks: How easy it is to steal money from IE 8.0-11.0 users

 
Looking back at the past year, there is no doubt that the malware-as-a-service industry, which sells and trades malware samples, attack tools, and a variety of services, is thriving. It means that cyber criminals with low technical skills can easily purchase attack tools from more advanced hackers, vastly increasing the number of potential attackers, attacks, and victims. Cerber, a ransomware-as-a-service operation, was one of the most dominant and profitable ransomware variants of 2016. Last December, a new DDoS (Distributed Denial of Service) collaborative effort dubbed Sledgehammer made headlines due to its unique operation mode. Participants were asked to attack targeted political ...