Flash Alert: Malware Affecting Companies Nationwide

Posted on: in [ cybersecurity ]

Flash Alert: Malware Affecting Companies Nationwide

 

From VGM's Partners at ProCircular

We always attempt to keep you up to date, and in the last week we’ve seen several major outbreaks of Ransomware called Emotet (a variant of Feodo). In fact, as I type this update, our engineering team is onsite - and has been for more than 24 hours -  with a large client using CarbonBlack to knock it down.

This bug has been around for quite awhile in a variety of different forms, and while it has evolved, it has always been a persistent and difficult problem to eradicate. Earlier this year, the attack cost the City of Allentown, PA over a million dollars.

Here’s some information that will hopefully help you be proactive...

How it shows up:

Emotet is generally distributed using a phishing campaign with infected MS Word documents.

What it does on your network:

Once the word document is opened and VBScript has had a chance to run on a workstation, it pulls down the actual malware from one of 32,000 (and counting) sites that serve as command and control. It unpacks itself directly into memory and upon execution this malware:

  • Spreads via brute-force attack over the network using SMB.
  • Sends spam with compromised emails around the world.
  • Updates anti-malware signatures to bypass protection on the workstation.

 How to protect yourself:

  • Employee awareness is key – make sure they know that opening attachments that run a script is a really, really bad thing, even when they come from a colleague. Don't shame or get angry with users if they make a mistake, use it as an opportunity to help bring them to your defense and thank them for listening.
  • Invest in CarbonBlack – we don’t normally make specific product recommendations, but a solution like CarbonBlack is an excellent way to detect and lock down malware like Emotet.
  • Monitor Account Lockouts – Emotet brute-forces its way using SMB which may allow you to see lockouts show up with an infection.
  • Pay particular attention to Financial Transactions – Emotet was originally designed to target banks, so keep a close eye on wire transfers and make sure that they’re all reviewed while the threat is still in play.

As always, please don’t hesitate to call us if you have questions or if you’ve noticed this ransomware on your workstations.

- Aaron R. Warner, CEO

Technical Information for IT/Cybersecurity:

Source: ProCircular