Posts tagged Ransomware

3 min Project Heisenberg

No More Tears? WannaCry, One Year Later

WannaCry, one year later, and what happened to the SMB target environment.

4 min Ransomware

Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it then leverages the EternalBlue [https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue]and DoublePulsar [https://www.rapid7.com/security-response/doublepulsar/]exploits to spread laterally. Once in

4 min Microsoft

Petya-like Ransomware Explained

TL;DR summary (7:40 PM EDT June 28): A major ransomware attack started in Ukraine yesterday and has spread around the world. The ransomware, which was initially thought to be a modified Petya variant, encrypts files on infected machines and uses multiple mechanisms to both gain entry to target networks and to spread laterally. Several research teams are reporting that once victims' disks are encrypted, they cannot be decrypted [https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware

4 min Ransomware

Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose

*Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: EternalBlue: Metasploit Module for MS17-010 [/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue]. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers. *Update 5/17/17: Unauthenticated remote checks have now been provided. For hosts that ar

6 min Research

WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them (Port 445 Exploit)

WannaCry Overview Last week the WannaCry ransomware worm, also known as Wanna Decryptor, Wanna Decryptor 2.0, WNCRY, and WannaCrypt started spreading around the world, holding computers for ransom at hospitals, government offices, and businesses. To recap: WannaCry exploits a vulnerability in the Windows Server Message Block (SMB) file sharing protocol. It spreads to unpatched devices directly connected to the internet and, once inside an organization, those machines and devices behind the firew

5 min Microsoft

Wanna Decryptor (WNCRY) Ransomware Explained

Mark the date: May 12, 2017. This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt [https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Wannacrypt.A!rsm] ” burst — literally — onto the scene with one of the initial targets being the British National Health Service [http://www.bbc.com/news/health-39899646]. According to The Guardian [https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack] : the “

4 min Microsoft

Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone. Unfortunately, high popularity for software also means more high-value targets in the eyes of an at

6 min Ransomware

The Ransomware Chronicles: A DevOps Survival Guide

NOTE: Tom Sellers [/author/tom-sellers/], Jon Hart [/author/jon-hart/], Derek Abdine and (really) the entire Rapid7 Labs team made this post possible. On the internet, no one may know if you're of the canine persuasion, but with a little time and just a few resources they can easily determine whether you're running an open “devops-ish” server or not. We're loosely defining devops-ish as: * MongoDB * CouchDB * Elasticsearch for this post, but we have a much broader definition and more data

5 min Ransomware

I have ransomware and I didn't back up! What do I do now??

There is an old proverb, attributed to various cultures, which says: “The best time to plant a tree was 20 years ago. The second best time is now.” The same goes for backups. If you've been hit by a ransomware incident, the best way to recover is to restore from your most recent backup. But let's say your backup process isn't as mature as it could be. And if that's true, your backups, or lack of backups, has created a gap in your business data that you cannot endure. What then, are your option

5 min Ransomware

Prepare Yourself for Ransomware - No More Snake Oil, Please

Ransomware has hurt more businesses than anyone expected only a year ago. This real threat to your organization could steal a great deal of productivity while systems are “locked” or directly cost the cryptocurrency demanded as ransom. For any organization that's ill prepared, it could cost you in both of these ways and there's no criminal customer service line if the purchased decryptor fails [though I'm excited to finally have a use for a balaclava-related stock photo]. Given their creativity

0 min Security Nation

[Security Nation] Understanding Ransomware

In this episode, host Kyle Flaherty explores some of the more common concerns around ransomware.

5 min InsightIDR

5 Methods For Detecting Ransomware Activity

Recently, ransomware was primarily a consumer problem. However, cybercriminals behind recent ransomware attacks have now shifted their focus to businesses.