Main ransomware waves through 2017

13th February 2018 by Omar Benjumea

Ransomware is a growing up trend and last year we saw the the raise of the ransomware worms with Wanacry, NotPetya and BadRabbit.

Last year has been an interesting year from an information security perspective since we faced plenty of big security incidents but in this article, I want to focus on the main ransomware waves we suffered last year and in the fact that we can find a new trend for ransomware: the capability to automatically spread by exploiting vulnerabilities or by stealing and injecting credentials.

On April 14th, 2017, the Shadow Brokers group published an exploitation framework developed by the Equation Group. This framework included the EternalBlue and EternalRomance exploits that leveraged vulnerabilities on the windows SMB protocol to gain administrative access into the targeted system.

On May 12th, 2017, the “WannaCry” ransomware had a global impact. It spread really quick affecting more than 300,000 systems in at least 150 countries. It was using the EternalBlue exploit to spread lateraly on the victims’ networks.

A month and a half after WannaCry, we wake up with a new surprise: NotPetya. This new ransomware which original infection vector appears to have been a malicious update from a Ukrainian financial software firm, not only was using EternalBlue exploit as Wannacry did, but was also automating techniques to retrieve cached password from the victim’s system to move laterally within the network by abusing PsExec and wMI protocols.

Finally, on October 24th, 2017 BadRabbit, a variant of NotPetya, was the last big ransomware wave of the year. BadRabbit was using EternalRomance exploit to move laterally as well as hardcoded credentials on top of the NotPetya techniques. However, its impact was much lower than its predecessors being Russia and Ukraine where we can find the most part of infections.

We should expect this trend to keep on 2018 and beyond, so it’s important for companies and users to implement the basic security hygiene controls that will allow them to prevent or mitigate the impact of such infections, so I’ll finish by giving you very few pretty basic hints about how to improve your security posture against ransomware:

• - Be cautious with the e-mail attachments and the flash player updates
• - Do backups regularly and store in a way they won’t be encrypted if you are hit by ransomware
• - Patch and harden your systems
• - Avoid granting local admin rights to your users whenever it’s possible
• - Segment your network correctly and allow only the protocol and connections that are needed