Ransomware attacks highlight the importance of eliminating network blind spots

By Sanjai Gangadharan

A wave of ransomware swept across Europe at an incredibly rapid clip on Tuesday, grinding business to a halt at banks, airports, pharmaceutical companies, government offices, service providers, utilities and more, security researchers said. Dubbed GoldenEye, a new variant of the Petrwrap/Petya ransomware, this attack is sneaking past traditional security defenses – according to The Hacker News, only 13 out of 61 anti-virus services are successfully detecting it – to load malware onto victims’ Windows machines and hold files for ransom unless the attackers are paid $300 in bitcoin.

Though the initial infection vector of the ransomware is currently unknown, researchers said it leverages the EternalBlue exploit to spread from one computer to another over the Microsoft Windows SMB protocol. Researchers said that this new bit of ransomware is similar in many ways to WannaCry, which in May ensnared more than 200,000 machines in more than 150 countries to hold files for ransom and also spread via the EternalBlue exploit.

One striking difference between WannaCry and GoldenEye is how the two ransomware attacks use encryption. WannaCry encrypted the infected files, while GoldenEye has two distinct layers of encryption: one that encrypts the files, and another that encrypts an infected machine’s entire file system, Bitdefender wrote.

"Just like Petya, it is particularly dangerous because it doesn't only encrypt files, it also encrypts the hard drive as well," Bogdan Botezatu, a senior threat analyst with Bitdefender, told CNET. A tweet from a Kaspersky Lab researcher indicates that Kaspersky recovered a sample of the malware on 18 June, suggesting it has been in the wild and infecting machines for more than a week.
As GoldenEye quickly spread throughout Europe Tuesday morning and afternoon, researchers worked to uncover the initial infection vector and determine the source.

While the source of the infection is still unclear, that it went unnoticed for more than a week is a strong reminder of the importance of understanding what type of traffic is on your network. Ransomware is sometimes spread via encrypted email messages containing Word and Excel files as attachments. This reinforces the need to decrypt and inspect Webmail and other secure email protocols to ensure attachments do not contain ransomware.

It’s also possible that GoldenEye infected machines through the use of nefarious encrypted traffic and went undetected. According to A10 Networks customers, roughly 75 percent of their traffic is encrypted. Yet at the Gartner Security and Risk Management Summit earlier this month, Gartner analysts said that by 2020, more than 60 percent of organizations will fail to properly decrypt traffic and miss most targeted web malware.

Encrypted traffic has become the biggest network blind spot, and enterprises need solutions that break and inspect encrypted traffic to uncover potential malware before it’s too late. Failing to decrypt encrypted traffic in real-time for your security stack to analyze could be inviting ransomware or other malware onto your network. The solution should be able to block the traffic in real-time and reset the communication channel. This helps eliminate the blind spot introduced by encrypted traffic.

The author is the Regional Director SAARC at A10 Networks