The ransomware that brought hospitals throughout England and Scotland to an operational standstill is a strain of WannaCry/WannaCrypt ransomware which contains a potent and dangerous payload called ExtendBlue. What if you could block the ransomware?
ExtendBlue exploits Microsoft’s SMB protocol and gives it legs. ExtendBlue allows the attacker to discover new exploitable systems within the LAN and/or connect to infected systems outside your LAN. This East/West and North/South threat makes it very dangerous because of its ability to traverse the network in many directions.
WannaCry/WannaCrypt ransomware is estimated to have infected 300,000 systems in a very short period of time. The delay of crowdsourced intelligence created a window in which this type of fast-moving malware can metastasize efficiently.
Inbound AND Outbound
At the ingress point, PacketViper’s Virtual Minefield Zone™ (VMZ) best practices would have detected, blocked and gained intelligence on the sources newly-infected with the ExtendBlue payload of this ransomware variant.
At egress point, our VMZ can detect the source from the inside, while preventing it from escaping the secure environment and reaching out to malicious sources.
Virtual Minefield Zone (VMZ) Traps Unknown Threats
This new intelligence gained by the VMZ sensors would have prevented the initial infection and prevented the threat source from infecting all areas of your public network. Firewalls and NGFWs would have simply dropped the source but still allowed it to continue to scan, and no active intelligence would have been gained.
The PacketViper VMZ does not solely rely on known threat intelligence, which eliminates the timeframe in which this type of malware can metastasize while under the radar of known threats. The VMZ would identify in real time the new threat sources while retaining the intelligence and rules on the new threat sources for longer periods of time without creating any latency.
While many people will be updating blacklists and security practices now that this malware is known, the unique thing about PacketViper is that it would have been equally as effective against this ransomware whether the threat was known or unknown.
We would have blocked this malware without having it identified because we set the VMZ to detect traffic patterns outside of the norm at the perimeter. For this very same reason, our customers will be well protected against the next, new unknown threat.
Rethink the perimeter.
Yours in security, Francesco Trama