Jun 07 2017

EternalRocks Ransomware on the Horizon

Organizations should be aware of a new strain of ransomware on the horizon called EternalRocks. To illustrate the high threat of this particular ransomware, it has earned the nickname “Doomsday Worm.” Please forward this to your appropriate technical staff.

Takeaways to consider:

  • EternalRocks has seven vulnerabilities that it exploits. WannaCry only used two.
    • All of the vulnerabilities are forms of  Server Message Block (SMB) exploits
      • EternalBlue – SMBv1 exploit
      • EternalRomance – SMBv1 exploit
      • EternalChampion – SMBv2 exploit
      • EternalSynergy – SMBv3 exploit
      • SMBTouch – SMB recon
      • ARCHTouch – SMB recon
      • DoublePulsar – backdoor trojan, infects other computers on the same network with one of the four SMB exploits
    • These vulnerabilities call out to Tor Command and Control (C&C) servers for tasking and to download other payloads.
  • EternalRocks has no ‘kill switch.’ It is designed to be invisible and live on the infected computer until some future cyber attack occurs. Once infected, the worm stays dormant for 24 hours before calling to its C&C server.

There is time to mitigate, close holes, and patch systems already infected because the infection has not been fully exploited yet.

These are low-hanging fruits that will provide more security against EternalRocks.

Here are few additional technical considerations that you may do on your own or contact Layer 8 Security for support:

  • Enable strong spam filters
  • Scan all inbound and outbound emails with your filters
  • Configure firewalls to block access to known malicious IP addresses
  • Patch operating systems, software, firmware
  • Set anti-virus and anti-malware programs to scan automatically
  • Manage use of sensitive accounts on the principle of least privilege
  • Use application whitelisting
  • Back-up data regularly
  • Conduct penetration testing
  • Communicate with your third-party vendors to ensure they are prepared and secure
  • Practice good cyber hygiene to protect yourself, your workplace, and/or your family

If you have any questions regarding this alert, please contact us at 800-530-9121 or at contact@layer8cybersecurity.com.