Recent ransomware attacks like Wanna and Petya have spread largely unchecked through corporate networks in recent months, extorting money to restore your data and regain control of your computers. Modern firewalls are purpose-built to defend against these kinds of attacks, but they need to be given an opportunity to do their job. In this whitepaper we'll discuss how these attacks work, how they can be stopped, and best practices for configuring your firewall and network to give you the best protection possible.
How Recent Ransomware Attacks Spread
Wanna, Petya, and other ransomware attacks have crippled countless organizations. Together, these two attacks have infected hundreds of thousands of computers all around the globe. These particular attacks spread by exploiting a vulnerability in Microsoft's Server Message Block (SMB) network file-sharing protocol. This protocol is ubiquitous on corporate LANs and allows computers to discover each other for the purpose of sharing files and other resources like printers. It can also be used for file sharing outside the firewall if the necessary ports (TCP 139 and/or 445) are opened or forwarded on the firewall.
The particular exploit used by Wanna and Petya is known as EternalBlue. EternalBlue allows remote code execution by sending carefully crafted messages across the network to the vulnerable SMB service on computers running Microsoft Windows. In general, every networked system, whether it's running Windows, Linux, Mac OS, or some other operating system, relies on a variety of services for network functionality, and occasionally new vulnerabilities are discovered in these services that can have dire consequences if maliciously exploited.
In the case of the EternalBlue exploit, Microsoft quickly issued a patch for this vulnerability once it was publicized, but hackers took advantage of the fact that rolling out patches in organizations is a considerable undertaking and were able to launch these attacks before many systems had been updated. Even in the most diligent organizations, there's always a gap between vulnerability discovery and patch deployment, which is why it's so important to have leading next-gen technology protecting your network and endpoints from these kinds of attacks.
So how can you protect your organization from letting these attacks into the network in the first place? And if an attack should somehow penetrate your network, how can you prevent it from propagating or moving laterally, infecting other systems in its wake?
Blocking Network Exploits
IPS (Intrusion Prevention System) is a critical security component of any next-gen firewall as it performs deep packet inspection of network traffic to identify vulnerability exploits and block them before they reach a target host. IPS looks for patterns or anomalies in the code that either match a specific exploit or a broader target vulnerability.
As with the EternalBlue exploit discussed earlier, these attacks typically attempt to send malicious inputs to a host application or service to compromise it and gain some level of control to ultimately execute code - such as a ransomware payload in the case of Wanna and Petya.
Blocking File-Based Ransomware Payloads
While Wanna and Petya spread like worms, many ransomware variants leverage social engineering tricks through phishing email attacks, spam, or web downloads to gain entry to your network through more conventional means. These attacks often start as cleverly crafted malware lurking in common files like Microsoft Office documents, PDFs, or executables such as updates for common trusted applications. Hackers have become very effective at making these files seem benign or obfuscating the malware to get past traditional signature-based antivirus detection.
As a result of this new breed of file-based malware, sandboxing technology has become an essential security layer at your network perimeter. Fortunately, cloud-based sandboxing typically doesn't require any additional hardware or software deployment - it simply identifies suspect files at the gateway and sends them to a safe sandboxing infrastructure in the cloud to detonate active content and monitor the behavior over time. It can be extremely effective at blocking unknown threats like new ransomware attacks before they enter the network.