EternalBlue Ransomware: What’s Going On and How to Protect Your Data

May 31, 2019, 16:16 PM by Alex Simons

Did you see last night’s episode of The Wire where cybercriminals hold the city of Baltimore hostage with a strain of ransomware stolen from the NSA?

Oh wait – that’s an actual report from The Baltimore Sun.

According to the report, a hacking tool developed by the US National Security Agency (NSA) is now being used to shut down the city of Baltimore. Cybercriminals are demanding 13 Bitcoin (about $113,000) to unencrypt infected government files, which Baltimore authorities have refused to pay.

As a result of the attempted extortion, the city of Baltimore is struggling to access thousands of frozen computers, restore employee emails, and resume core IT operations. The direct economic impact translates to frozen real estate sales, declined utility payments, and disrupted government services.

Doesn’t this sound like an evil plot by Mr. Freeze?

This was actually due to a strain of ransomware called EternalBlue. EternalBlue is from the same family as WannaCry, Petya, and NotPetya - capitalizing on a vulnerability in Microsoft Server Message Block using Windows 7, Windows Server 2008, Windows XP, or Windows 10 operating systems.

How to Protect Against EternalBlue

EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.

So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.

Microsoft’s Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilizing the latest version.

Additionally, you should ensure that the following safeguards are in place:

• Anti-virus software
• Secure offsite backup with “attack-loop” prevention
• Filter for .exe attachments in emails
• Encrypt sensitive data

What Does the Ransomware Threat Landscape Look Like Today?

Global ransomware outbreaks are growing in quantity and are more sophisticated than ever. The Big 3 from the past couple years include WannaCry, NotPetya, and Spectre/Meltdown.

WannaCry and NotPetya are variants of EternalBlue. This “family” is particularly repugnant as they don’t rely on phishing emails for infection. They aren’t just viruses. They are worms. The EternalBlue “worm-viruses” can simply slip into your Windows PC or server through an unpatched gap in your Microsoft OS – bypassing the need for our favorite Nigerian Prince.

The “unpatched Windows exploit” was how WannaCry was able to affect over 200,000 computers across 150 countries in 2017. Damage estimates range from hundreds of millions to billions of dollars [1].

The Meltdown/Spectre attacks were potentially even more detrimental as they were able to exploit just about every computer chip manufactured in the last two decades [2]. The target vulnerability was at the hardware level, so the only direct solution was new computer chips. Anti-malware vendors have released new software patches that protect a computer’s OS, but it may only be a matter of time before Meltdown/Spectre resurfaces and infects more unpatched computers.

So once again – please take a moment to patch everything.

Also consider the following tactics to proactively prevent an attack from infiltrating your network:

What Should I Do?	Why Should I Do It?
Anti-virus	Keep your corporate data sources up to date with the latest anti-malware software to filer known ransomware strains.
Firewalls	Deploy firewalls and block access to SMB ports over the network or internet to control access to your IT environment.
Configure Webmail Server to Block Attachments	Include extensions like .exe, .vbs, or .scr. After filtering, you can scan the files in an isolated environment to verify or destroy.
User Training	Train staff to stay alert for suspicious attachments and download links, such as double-checking a business domain or spot-checking links.
File Versioning	Automatically store multiple versions of files at a time. This enables flexible restores in a disaster recovery scenario.
Upgrade OS and Applications	I really hope this is clear by now. Strains like EternalBlue expose out-of-date Windows software as an entry point into your environment

Secure Offsite Disaster Recovery: The Only Real Protection

Do you know how anti-virus software works?

It’s pretty cool.

Essentially, your anti-virus provider has this massive database of known malware code. Then they scan your network and quarantine anything that looks familiar.

Sounds like Sherlock Holmes as an IT guy.

But what if the virus attacking your network isn’t in the anti-virus database?

And couldn’t cybercriminals alter the code to avoid detection?

In a word, yes.

This happens all the time.

That’s why the only real protection to thwart a ransomware attack is a secure offsite disaster recovery strategy with protected backup repositories.

So that fancy firewall is a fantastic first step. But for a comprehensive plan to fight back against ransomware, ensure that you have a disaster recovery plan that you can depend on.

Stay Safe with Disaster Recovery-as-a-Service

Hackers will never stop developing new strains of ransomware.

So unfortunately, you can never stop preparing your IT resilience strategy for an attack.

But does it really have to be you?

What if your business doesn’t have the expertise or IT resources?

Or what if you’d rather focus on other pressing IT initiatives and entrust your ransomware contingency strategy to an industry specialist?

Great news – that logic summarizes the rational for a disaster recovery-as-a-service-model.

TechTarget defines DRaaS as the replication and hosting of physical or virtual servers by a third party to provide failover in the event of an outage [3]. In other words, a disaster recovery provider can leverage their cloud environment as a secondary site for replication to quickly spin up compromised systems or applications in the event of an outage. Many DRaaS provider will also have strong anti-virus capabilities to ensure that the uninfected versions of the compromised data are being restored from the off-site data center.

The Advantages of DRaaS to Defeat Ransomware

A comprehensive end-to-end DRaaS failover strategy will have the ability to replicate both production data and active VMs to redundant offsite datacenters using strong user authentication, anti-malware security, and continuous verification to isolate the backed up copies from the malware.

In other words, if your network falls victim to an attack, you can power down your infected systems and storage, and then safely failover your applications from the cloud for uninterrupted business functions.

But the key advantage to DRaaS is you don’t have to understand any of this. A dedicated DRaaS provider will specialize in offsiting disaster recovery operations to the cloud, allowing your IT department to focus on other pressing IT initiatives.

Additional benefits include:

• Multi-Cloud: While DRaaS can be 100% cloud computing, resources may be replicated to many different sites or clouds to ensure continuous backup if one site is unavailable.
• Array Agnostic: A DRaaS model needs to be able to replicate any environment. So it will not favor a single platform or software provider. This ensures that the right cloud are deployed for the right workloads.
• Full or Partial Failover: Not all data is created equally. Your business requirements should dictate your disaster recovery strategy as defined by the recovery time objective (RTO). A DRaaS model adds the flexibility to segment your IT workloads so you pay for your failover strategy based on the availability needs.
• Reduced Hardware Expenditure: The DRaaS provider is responsible for all hardware costs and maintenance. The “pay-for-what-you-store” approach alleviates your IT budget from heavy capital hardware expenditures while simultaneously increasing scalability with flexible cloud architecture.
• Expert Assistance: Developing a proper disaster recovery strategy requires expertise, time, and IT resources (CAPEX and OPEX). Partnering with a dedicated data protection specialist eliminates the need for in-house experts.

Advanced Disaster Recovery Practices Designed for Ransomware Failover

As a disaster recovery expert by now, you were probably wondering, “what about keeping backed up copies on offline storage, varying my credentials for the backup repositories, and having more frequent restore points?”

Yes, yes, and yes. These are great considerations for a comprehensive enterprise-caliber ransomware protection strategy.

Let’s take a look at each:

• Keep Backup Copies on Offline Storage: Ransomware attacks can infect backup repositories on-premises or in the cloud. But they cannot attack offline, “air gapped” data copy. TurboRestore Appliances also offer offline bare metal recovery for high availability and redundancy.
• Use a Variety of Credentials for Backup Repositories: Careful credential management can limit malware propagation through a network. It is unlikely that a ransomware attack could carry multiple credentials. So it is a smart idea to require more than a single user credential to access the backup repository.
• Create Frequent Restore Points and Multiple Types of Restore Points: Instituting frequent restore points is a best practice with any high priority IT workload. Having multiple snapshots will enable “point-in-time restore” capabilities to restore your data right before the virus infiltrated your network.

Yes, You Are Now Ready to Fight Cybercrime

Or if not, you are ready to find a DRaaS partner who can.

Take an in-depth look into ransomware protection with Data Protection, Disaster Recovery, and Ransomware Protection with DRaaS, our industry report sponsored by ITPro Today.

• [1] CSO Online
• [2] CNET
• [3] TechTarget