Large-scale ransomware campaign was launched late last week, sweeping computers across the world with identical or mostly similar malware variants. The difference from most attacks carried out in recent years is this ransomware’s ability to proactively spread via the SMB protocol. One workaround solution suggested shutting down the protocol entirely, i.e. filtering out traffic on port 445.
This attack was probably facilitated by information or tools leaked by the US National Security Agency, and Microsoft released a patch couple of weeks ago to fix the vulnerability that this ransomware was leveraging. Installing latest OS patches, upgrading security tools and updating company-wide applications is – as always – one of the most important steps for preserving the integrity of your security chain, apart from keeping the users educated and cautious. Workarounds where suggested whereby specific URLs would be redirected via the hosts file because this malware used non-existent addresses as a kill-switch. However, this was not the right solution in the long run as the new version changed the verification URLs (the idea was to use non-existent URLs as registering the URL terminated the attack; another method was to check if malware is constrained in a sandbox with a faked internet access, thereby an internal web server opens non-existent domains too).
Trend Micro recommends taking a layered approach – protecting our systems on more than one level – and integrating multiple security solutions to gain a more detailed insight into malware behavior across different attack vectors (e.g. spreading thorough email, downloading files from the web and dropping them to endpoints, etc.).
Several specific definitions issued by Trend Micro aimed at detecting and blocking of this suspicious and malicious traffic on the network are available from the Trend Micro knowledge base. We suggest customers use some kind of advanced traffic/file analysis, e.g. Trend Micro Deep Discovery, to quarantine not only detected files but also files sent by any security device for analysis, which have not returned any results. As administrators periodically check quarantines for “false-positives”, they can also inspect quarantines that have suspended advanced analysis as this is often a sign of progressive versions of modern malware.