Firewall News

Top Menu

  • Home
  • Our Blog
  • Contact Us

Main Menu

  • Software Updates
  • Alerts & Bugs
  • Out of the Box
  • Home
  • Our Blog
  • Contact Us

Firewall News

Firewall News

  • Software Updates
    • WatchGuard logo

      TDR 6.0.0 is now integrated into WatchGuard Cloud

      04/01/2021
      0
    • Sophos Logo

      XG Firewall 17.5 MR14 Released

      30/07/2020
      0
    • Sophos Logo

      Sophos Firewall Manager SFM 17.1 MR4 Released

      27/07/2020
      0
    • Sophos Logo

      Sophos Enterprise console - Endpoint Security and Control v10.8.9 for Windows has ...

      16/07/2020
      0
    • Sophos Logo

      Sophos iView v3 MR-2 Released

      07/07/2020
      0
    • Sophos Logo

      SD-RED Firmware 3.0.002 Pattern Update

      06/07/2020
      0
    • Sophos Logo

      XG Firewall 17.5 MR13 Released

      06/07/2020
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for old firmware v17 and v17.1 for XG Firewall

      03/07/2020
      0
    • WatchGuard logo

      Fireware 12.5.4 Now Available

      01/07/2020
      0
  • Alerts & Bugs
    • Sophos Logo

      Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

      29/03/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Updates

      03/03/2022
      0
    • WatchGuard logo

      WatchGuard Support Alert

      23/02/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Reminder

      03/02/2022
      0
    • Sophos Logo

      Sophos: Product Lifecycle Information: Extended Support for Windows 7 and Windows Server ...

      31/01/2022
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for Sophos SSL VPN Client

      29/11/2021
      0
    • WatchGuard logo

      WatchGuard: macOS Monterey 12.0.1 Does Not Support the AuthPoint Logon App

      09/11/2021
      0
    • Sophos Logo

      Sophos UTM Manager (SUM) End of Distribution

      04/11/2021
      0
    • WatchGuard logo

      WatchGuard: End of Sale Notice: AP420

      01/11/2021
      0
  • Out of the Box
    • WatchGuard’s Firebox T80 Earns 5-Star Rating in SC Labs Review

      17/11/2020
      0
    • WatchGuard Wins Big in CRN 2020 Tech Innovator Awards

      16/11/2020
      0
    • Coronavirus scams: what to look for and how to stop them

      02/04/2020
      0
    • Dell SonicWALL TZ 300

      Out the Box - Dell SonicWALL TZ 300

      05/07/2016
      0
    • Dell SonicWALL TZ SOHO

      Out the Box - Dell SonicWALL TZ SOHO

      05/07/2016
      0
    • WatchGuard Firebox T50

      WatchGuard Firebox T50

      31/03/2016
      0
    • WatchGuard Firebox M200

      WatchGuard Firebox M200

      31/03/2016
      0
NewsSophos
Home›News›Media Alert: Sophos shows how the most prevalent and persistent ransomware families attack victims

Media Alert: Sophos shows how the most prevalent and persistent ransomware families attack victims

By admin
14/11/2019
1632
0
Share:
Sophos Cybersecurity made simple

Playbook for defenders covers attack tools and techniques used by 11 major ransomware families including WannaCry, SamSam, RobbinHood, Ryuk, MegaCortex, and more

Automated, Active Attack-style was the Most Common Approach Seen Among Top Ransomware Families in the Report

OXFORD, UK – Nov. 14, 2019 – Sophos (LSE: SOPH), a global leader in next-generation cybersecurity, has published How Ransomware Attacks, a playbook for defenders that explains how ransomware variants attack and impact victims. The playbook complements the 2020 Threat Report released on Nov. 4, and features a detailed analysis of 11 of the most prevalent and persistent ransomware families, including Ryuk, BitPaymer and MegaCortex.

The research by SophosLabs highlights how ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up.

The tools and techniques covered by the playbook include:

The main modes of distribution for the major ransomware families.Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum impact (for example, WannaCry); as ransomware-as-a-service (RaaS), sold on the dark web as a distribution kit (for example, Sodinokibi); or by means of an automated active adversary attack, where attackers manually deploy the ransomware following an automated scan of networks for systems with weak protection. This automated, active attack style was the most common approach seen among the top families listed in the report.

Cryptographic code signing ransomware with a bought or stolen legitimate digital certificate in an attempt to convince some security software the code is trustworthy and doesn’t need analysis. 

Privilege escalation using readily available exploits, like EternalBlue, to elevate access privileges. This allows the attacker to install programs such as remote access tools (RATs), and to view, change or delete data, create new accounts with full user rights, and disable security software.

Lateral movement andhunting across the network for file and backup servers while staying under the radar in order to unleash the full impact of the ransomware attack. Within an hour, attackers can create a script to copy and execute the ransomware on networked endpoints and servers. In order to speed up the attack, the ransomware might prioritize data on remote/shared drives, target smaller document sizes first, and run multiple encryption processes at the same time.

Remote attacks. The file servers themselves are often not infected with the ransomware. Instead, the threat typically runs on one or more compromised endpoints, abusing a privileged user account to remotely attack documents, sometimes via the Remote Desktop Protocol (RDP) or targeting remote monitoring and management (RMM) solutions typically used by managed service providers (MSP) to manage customers’ IT infrastructure and/or end-user systems.

File encryption and renaming. There are a number of different methods for file encryption, including simply overwriting the document, but most are accompanied by either the deletion of the backup or original copy to hinder the recovery process.

The playbook explains how these and other tools and techniques are implemented by 11 ransomware families: WannaCry, GandCrab, SamSam, Dharma, BitPaymer, Ryuk, LockerGoga, MegaCortex, RobbinHood, Matrix and Sodinokibi.

“The creators of ransomware have a pretty good grasp of how security software works and adapt their attacks accordingly. Everything is designed to avoid detection while the malware encrypts as many documents as possible as quickly as possible and makes it hard, if not impossible, to recover the data. In some cases, the main body of the attack takes place at night when the IT team is at home asleep. By the time the victim spots what’s going on, it is too late. It is vital to have robust security controls, monitoring and response in place covering all endpoints, networks and systems, and to install software updates whenever they are issued,” said Mark Loman, director of engineering for threat mitigation technology at Sophos, and the author of the report.

How to protect against ransomware

  • Check that you have a full inventory of all devices connected to your network and that any security software you use on them is up to date
  • Always install the latest security updates, as soon as practicable, on all the devices on your network
  • Verify that your computers are patched against the EternalBlue exploit used in WannaCry by following these instructions: How to Verify if a Machine is Vulnerable to EternalBlue – MS17-010
  • Keep regular backups of your most important and current data on an offline storage device as this is the best way to avoid having to pay a ransom when affected by ransomware 
  • Administrators should enable multi-factor authentication on all management systems that support it, to prevent attackers disabling security products during an attack
  • There is no silver bullet to security, and a layered security model is the best practice all businesses need to implement
  • For example, Sophos Intercept X  employs a comprehensive defense-in-depth approach to endpoint protection, combining multiple leading next-gen techniques to deliver malware detection, exploit protection and built-in endpoint detection and response (EDR)

The complete How Ransomware Attacks playbook, as well as a SophosLabs Uncut article, How the Most Damaging Ransomware Evades IT Security, are available.

Previous Article

How the most damaging ransomware evades IT ...

Next Article

Barracuda Broadens APAC Presence with Headquarters in ...

0
Shares
  • 0
  • +
  • 0
  • 0
  • 0
  • 0

Related articles More from author

  • Wi-Fi Cloud Maintenance
    News

    WatchGuard Threat Detection and Response Adds Complete Network and Endpoint Visibility to Total Security Suite

    24/01/2017
    By admin
  • Fortinet
    FortinetNews

    Fortinet Again Named the Fastest Growing SD-WAN Vendor, Continues Innovation to Deliver SD-WAN Anywhere

    29/07/2020
    By admin
  • News

    Speed And Connectivity: The Fundamental Elements In The Science Of Cybersecurity

    04/09/2019
    By admin
  • Sophos Logo
    NewsSophos

    Sophos is ranked 10th in 2020’s Sunday Times PwC Top Track 250

    01/10/2020
    By admin
  • FortinetNews

    Fortinet Security Fabric Earns NSS Labs Recommendation for 2019 Breach Prevention Systems Group Test

    12/08/2019
    By admin
  • BarracudaNews

    Getting to know your Barracuda CloudGen Firewall work-from-home capabilities

    16/03/2020
    By admin

  • Sophos Intercept X with EDR
    NewsSophos

    Sophos Advances Endpoint Detection and Response (EDR)

  • SonicWall Capture Advanced Threat Protection Service
    News

    SonicWall Releases Capture Advanced Threat Protection Service

  • Sophos CRN Innovators
    News

    Sophos Intercept X is a Tech Innovator

Timeline

  • 29/03/2022

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

  • 03/03/2022

    Sophos: Important Product Lifecycle Updates

  • 01/03/2022

    Shoring up your cybersecurity posture in light of ongoing crisis

  • 23/02/2022

    WatchGuard Support Alert

  • 03/02/2022

    Sophos: Important Product Lifecycle Reminder

Sponsored Links

Latest Comments

  • Paul Sillars
    on
    21/06/2016
    I received this in an email this morning, it was the first I heard about it ...

    Dell Software Group sold to help fund looming EMC deal

  • Paul Sillars
    on
    20/06/2016
    This is going to be an interesting one to watch. Especially after today's announcement that ...

    Ingram Micro gets distribution access to Dell’s security range in Australia

Find us on Facebook

Firewall.News Logo

This site serves more as a reference point for some of the major security vendor's updates and product/press releases

It will never be a definitive list, but it helps our customers keep up to date and also allows us to express our comment and observations as well.

About us

  • PO Box 451, North Lakes, Queensland, 4509, Australia
  • [email protected]
  • Recent

  • Popular

  • Comments

  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Sophos Logo

    Sophos: Important Product Lifecycle Updates

    By admin
    03/03/2022
  • Shoring up your cybersecurity posture in light of ongoing crisis

    By admin
    01/03/2022
  • WatchGuard logo

    WatchGuard Support Alert

    By admin
    23/02/2022
  • Dell SonicWALL Supermassive

    Ingram Micro gets distribution access to Dell’s security range in Australia

    By admin
    14/06/2016
  • Francisco Partners and Elliott Management to Acquire the Dell Software Group

    Dell Software Group sold to help fund looming EMC deal

    By admin
    21/06/2016
  • WatchGuard Firebox M500 – The Cure for HTTPS Performance Headaches

    By admin
    05/03/2015
  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Paul Sillars
    on
    21/06/2016

    Dell Software Group sold to help fund looming EMC deal

    I received this in ...
  • Paul Sillars
    on
    20/06/2016

    Ingram Micro gets distribution access to Dell’s security range in Australia

    This is going to ...

Follow Me

  • Contact
  • About Us
  • Home