8 min
Ransomware
Slot Machines and Cybercrime: Why Ransomware Won't Quit Pulling Our Lever
Ransomware remains a significant problem, partly because the incentives for everyone, including victims, are there to increase the number of ransomware attacks.
7 min
Ransomware
The Ransomware Task Force: A New Approach to Fighting Ransomware
The Institute for Security and Technology put together a comprehensive Ransomware Task Force (RTF) to identify new approaches to shift the dynamics of ransomware and reduce opportunities for attackers.
3 min
Ransomware
Decrypter FOMO No Mo’: Five Years of the No More Ransom Project
The amazing No More Ransom Project celebrates its fifth anniversary today and so we just wanted to take a moment to talk about what it has accomplished and why you should tell all your friends about it.
3 min
Research
PSA: Increase in RDP Attacks Means It's Time to Mind Your RDPs and Qs
Our research team looks into the increase in RDP attacks against RDP servers without multi-factor authentication enabled and helps organizations strengthen their infrastructure against these attacks.
3 min
Ransomware
Ransomware Payments and Sanctions - U.S. Treasury Advisory
The U.S. Department of Treasury issued an advisory warning that paying ransoms to cybercriminal groups risks violating sanctions. Rapid7 has previously recommended that victims not pay ransom, and urges organizations to focus on ransomware prevention and recovery.
3 min
COVID-19
The Healthcare Security Pro's Guide to Ransomware Attacks
In this blog, we discuss the best practices to defend against ransomware attacks in the healthcare industry.
5 min
Ransomware
WannaCry, Two Years On: Current Threat Landscape
In this blog, we take a look at the current attacker landscape related to EternalBlue and ransomware, along with some lessons that have not been learned since WannaCry.
2 min
Vulnerability Management
What WannaCry Taught Me About the Benefits of Agents in VM Programs
In the wake of the WannaCry attack, my security team and I learned firsthand why having an agent-based vulnerability management strategy could have helped.
4 min
Ransomware
Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010
A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day,
affecting organizations in several European countries and the US. It is believed
that the ransomworm may achieve its initial infection via a malicious document
attached to a phishing email, and that it then leverages the EternalBlue
[https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue]and
DoublePulsar [https://www.rapid7.com/security-response/doublepulsar/]exploits to
spread laterally. Once in
4 min
Microsoft
Petya-like Ransomware Explained
TL;DR summary (7:40 PM EDT June 28): A major ransomware attack started in
Ukraine yesterday and has spread around the world. The ransomware, which was
initially thought to be a modified Petya variant, encrypts files on infected
machines and uses multiple mechanisms to both gain entry to target networks and
to spread laterally. Several research teams are reporting that once victims'
disks are encrypted, they cannot be decrypted
[https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware
4 min
Ransomware
Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose
*Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available
in Metasploit for testing your compensating controls and validating
remediations. More info: EternalBlue: Metasploit Module for MS17-010
[/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue]. Also
removed steps 5 and 6 from scan instructions as they were not strictly necessary
and causing issues for some customers.
*Update 5/17/17: Unauthenticated remote checks have now been provided. For hosts
that ar
6 min
Ransomware
WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them (Port 445 Exploit)
WannaCry Overview
Last week the WannaCry ransomware worm, also known as Wanna Decryptor, Wanna
Decryptor 2.0, WNCRY, and WannaCrypt started spreading around the world, holding
computers for ransom at hospitals, government offices, and businesses. To recap:
WannaCry exploits a vulnerability in the Windows Server Message Block (SMB) file
sharing protocol. It spreads to unpatched devices directly connected to the
internet and, once inside an organization, those machines and devices behind the
firew
4 min
Ransomware
Wanna Decryptor (WNCRY) Ransomware Explained
Mark the date: May 12, 2017.
This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt” burst —
literally — onto the scene with one of the initial targets being the British
National Health Service [http://www.bbc.com/news/health-39899646]. According to
The Guardian: the “unprecedented attack… affected 12 countries and at least 16
NHS trusts in the UK, compromising IT systems that underpin patient safety.
Staff across the NHS were locked out of their computers and trusts had to divert
em
4 min
Microsoft
Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits
It is fair to say that Microsoft Office and OpenOffice are some of the most
popular applications in the world. We use them for writing papers, making slides
for presentations, analyzing sales or financial data, and more. This software is
so important to businesses that, even in developing countries, workers that are
proficient in an Office suite can make a decent living based on this skill
alone.
Unfortunately, high popularity for software also means more high-value targets
in the eyes of an
6 min
Ransomware
The Ransomware Chronicles: A DevOps Survival Guide
NOTE: Tom Sellers [https://www.rapid7.com/blog/author/tom-sellers/], Jon Hart
[https://www.rapid7.com/blog/author/jon-hart/], Derek Abdine and (really) the
entire Rapid7 Labs team made this post possible.
On the internet, no one may know if you're of the canine persuasion, but with a
little time and just a few resources they can easily determine whether you're
running an open “devops-ish” server or not. We're loosely defining devops-ish
as:
* MongoDB
* CouchDB
* Elasticsearch
for this post