CRYING IS FUTILE: SandBlast Forensic Analysis of WannaCry

 
Using the NSA exploit EternalBlue released by the Shadow Brokers, the WannaCry ransomware developers have added their names to malware lore. Given the number of institutions hit and the amount of media generated, it seemed appropriate to show what the ransomware actually does on a system through our SandBlast Agent Forensics product. The WannaCry outbreak has been a good test case for the recently launched SandBlast Anti-Ransomware. AR and Forensics work together as part of our SandBlast Agent product. As we had expected, Anti-Ransomware was up to the task and has successfully blocked all WannaCry samples we’ve thrown at it, without requiring any signatures or updates. For this ...

Can SandBlast Block Unknown Attacks? Challenge Accepted, Network World!

 
Recently, David Strom and Network World decided to put our zero-day protection technology to the test, literally. Now, after in-depth security analysis, we are excited to share the findings with you. In short, Strom found SandBlast to be a comprehensive yet easy to manage solution, which is worth the cost for effective protection against unknown malware.   Challenge No. 1: Can Zero-Day Attacks Be Detected? “No matter what virus package we tried, SandBlast caught it, cleaned it, and stopped the exploit from propagating.” In his extensive testing, David lodged multiple attacks against our SandBlast Threat Prevention Solutions. And guess what! SandBlast stopped all of ...

Pixel Tracking: A Hacker’s Tool

 
What is pixel tracking? It’s challenging to justify the effectiveness of an email campaign if you can’t measure its success. So, what do you do? You use pixel tracking, a seemingly innocent sales tool that helps sales and marketing teams track their campaigns. Tracking pixels are embedded into emails and load when the recipient opens the email. The sender can receive information about when and who opens the email, how many links are clicked, what platform the receiver uses, and the status of the message. The same concept is used for attachment and link tracking as well. However, this data collection is performed usually without the recipients’ knowledge or consent. Most ...

Check Point Forensic Files: Proving Ranscam ransomware does not provide a way to recover files

 
Every week we see new ransomware variants as cyber criminals continue to generate revenue from holding victims' files for ransom. In July, a new ransomware was discovered that is an out-and-out scam. It does not encrypt any files; it simply deletes all user files. It then demands a ransom for recovery of the files, but infected users cannot recover the files even if they pay the ransom. Researchers at Cisco did an analysis of the ransomware dubbed “Ranscam,” which can be read here. Figure 1: Forensic Analysis Overview. Click to open the interactive report. The forensic report is best viewed on wide screens with resolutions greater than 1280 x 768. The ideal browsers to view the ...

Tales from the Trenches: Modern Malware Requires Modern Investigation Techniques

 
The Check Point Incidence Response team was called in to assist a company who suffered a severe breach in their network, which was not previously protected by Check Point’s advanced protections. The team began to investigate and was extremely impressed by the malware’s tactics and sophisticated evasion techniques. The malware’s evasive nature required the team to use state-of-the-art investigation techniques to successfully remediate the network.   How it all began – inviting the malware in The breach originated in a keygen downloaded by one of the employees. While the keygen did actually work, it also contained a malicious component – the malware called ...

Zcrypt: The Ransomware Virus Hybrid

 
A recent piece of ransomware has emerged that is causing quite the stir. The reason - it is in fact a virus and can infect users even through USB devices. The technology itself is not new, but when implemented by ransomware the results could be severe. Given this, now is a good time for people that are not running port protection software to disable automatic execution. Using the Check Point SandBlast Agent automatic forensic analysis, we were able to reveal further details about this new strain of ransomware. Zcrypt manages to infect users through USBs by creating autorun.inf and automatically launching a file called “invoice.exe” when the USB key is plugged in. Zcrypt displays ...

TeslaCrypt Ransomware Shuts Down: One Down, Plenty to Go

 
In a surprising turn of events, the creators of the notorious TeslaCrypt ransomware shut down their operation and revealed the master key for decrypting all files. They even said they are sorry, as displayed in the image below. Figure 1: TeslaCrypt Shut Down Message   The motive behind this step remains unclear. The attackers could be trying to lower their profile to avoid law enforcement agencies or they could really be sorry for the damage they have done. Either way, the users who were infected by TeslaCrypt have already payed the price. As we have reported earlier, TeslaCrypt, which emerged in 2015, was known especially for its ability to adapt. Several versions of it ...

Introducing Check Point SandBlast Agent

 
As the modern workplace continues to evolve, it becomes increasingly important that individual end-user devices are protected from advanced threats. In most organizations today, endpoint device protection is still limited to traditional antivirus solutions that only detect previously known threats and techniques. Hackers today utilize sophisticated malware variants and new zero-day attacks to target end user devices and evade detection. Users may inadvertently be exposed to malware when downloading files, putting the enterprise network at risk of infection. When suspicious events do occur, it is essential that organizations have immediate access to the information required to fully ...