Published on May 25th, 2017 | by Admin
Bogdan Botezatu Interview (Senior e-Threat Analyst from Bitdefender) … The Ransomware Phenomena
We catch-up with Bogdan Botezatu (Senior e-Threat Analyst from Bitdefender) to discuss the latest Ransomware danger!
Can you walk us through how computers are so vulnerable to ransomware?
Windows operating systems dating back to Windows 95 – although Windows XP is currently the oldest one still in use – have a remote code execution vulnerability in the SMB v1 (Server Message Block) protocol, allowing an attacker to run arbitrary code on the machine. Because exploiting the vulnerability requires no user interaction, such as executing a file or clicking on a URL, internet-connected computers that have not been patched with the security update that fixes the issue are prone to being infected.
With WannaCry, the attacker would exploit the SMB vulnerability and use ransomware as the payload on the victim. Infected victims would be restricted access to their files unless paying ransom notes with the promise of unlocking them. While ransomware is not a new threat, it’s effectives lies in the fact that attackers can generate a unique ransomware sample for each victim – by employing polymorphism and obfuscation – to avoid being detected by traditional security mechanisms. Unlike other threats whose purpose is to remain silent once ransomware only purpose is to make sure it executes once on the victim’s computer, so that it can start encrypting files.
In the particular case of Adykluzz, the attacker would exploit the SMB vulnerability and deploys a virtual currency mining tool on the victim’s computer. Infected victims would remain unaware of the infection as it will not display any messages on screen – unlike ransomware – and the only signs of infection would be a performance slowdown caused by the “mining” process. Unlike WannaCry that was completely obvious after infecting a victim, Adykluzz’s purpose is to remain silent. More than that, it also disables the vulnerable SMB v1 protocol – that it exploited to infect the victim – so that no other threat leveraging the same vulnerability can reach the same computer.
Which country do these attacks usually originate from?
Any type of cyberattack is difficult to attribute to either a country of a hacking group, because in cyberspace you can spoof you location, name, and other personally identifiable information. While there might be clues within the ransomware’s code that its developers might be speaking Russian, Chinese, or American, these artefacts could also be intentionally placed to mislead security researchers.
Tell us a little about the new threat ‘WannaCry’ and what makes it so hard to detect?
The WannaCry threat is particularly dangerous because traditional security mechanisms are not designed to protect against software vulnerabilities, but against malicious payloads dropped by cybercriminals leveraging those vulnerabilities. Code vulnerabilities alone are practically impossible to detect, unless properly auditing every line of code and constantly testing the software. With WannaCry, security vendors detected the threat by practically “catching” the ransomware payload, but the SMB v1 vulnerability can be used to “smuggle” other software that’s specifically designed to bypass traditional security mechanisms. Unless affected systems are patched or the SMB v1 protocol disabled, attackers can continue delivering payloads until one of them successfully executes.
Of course, there are other technologies that business can employ to protect against such memory manipulation attacks, especially if they’re running virtual infrastructures. Hypervisor introspection is a real-time memory scanning technology that can detect and prevent vulnerabilities caused by memory manipulation techniques, practically stopping the attack before the cybercriminal actually manages to deploy the payload. The EternalBlue component of Wannacry – the one responsible for the triggering the vulnerability – was actually tested against Hypervisor Introspection and the results concluded that no machine could have been infected by WannCry, because the attack would have been detected and blocked as soon as the memory manipulation in the SMB v1 protocol would have occurred. Consequently, any attack leveraging EternalBlue – whether it was used to drop ransomware or any other threat – can be successfully stopped with Hypervisor Introspection.
Could you tell us some of things Bitdefender are doing to protect computers?
Bitdefender employs machine learning algorithms that are specifically trained to proactively and accurately identify new and never-before-seen threats. With WannaCry, these algorithms prevented the ransomware payload from executing on protected computers. Regardless if the protected PC did not have the MS17-010 update installed, the payload “smuggled” by the attacker though the SMB v1 vulnerability was successfully detected. There are also additional security layers and technologies deployed on protected PCs that are designed to detect and prevent malware from executing. For example, there’s also an anti-ransomware technology that can protect a specific folder – containing critical user documents and data – on a machine so that even if a ransomware attack managed to compromise the machine, it will not be able to encrypt that protected folder.
Organisations running virtual infrastructures can also rely on technologies like hypervisor introspection to add an extra layer of protection that’s specifically designed to fend off zero-day vulnerabilities, like the one employed by WannaCry. Developing these unique technologies is vital protecting organisations against advanced and sophisticated attacks designed to breach organisations and remain persistent for a long time.
Will our IT systems ever be 100% safe proof from internet threats?
No software system is 100% secure. What organisations can do is make sure they increase the cost of attack for cybercriminals, by using a layered security approach designed to make it difficult for attackers to breach the organisation. It is not a question of if an organisation will be breached, but of when. Consequently, having an incident response plan that’s constantly updated, security audits, and layered security mechanisms is vital for increasing the cost of attacks.
What should governments and law enforcement agencies be doing?
Collaboration between government, law enforcement, and security companies should work together and cooperate in identifying cybercriminals. Investigations often span across countries and continents, each with its own laws and legislations. Which why cybercriminals often have time to cover their tracks and remove any forensic evidence from C&C servers. Cooperation between government, law enforcement, and security companies should help expedite the process in which cybercriminals are identified and brought to justice.
Lastly, what are you recommendations on protecting our IT systems from these attacks?
Protecting against the WannaCry all about applying a security update that has already been issued by Microsoft, even for unsporting operating systems such as Windows XP. For those that cannot do that, disabling the SMB v1 and blocking the 445 port should provide sufficient shielding against this particular threat. Of course, having a security solution installed is always recommend, as it can help protect against the malicious payload – ransomware in this particular case.