Threat Intelligence Report: Lucky Ransomware

Threat intelligence is an elusive concept. Cyber-security vendors have developed numerous definitions for it based upon different procedural viewpoints. As a result, the key concept and principle of threat intelligence is explaining the role it plays within cyber-security and network defence, while offering advice and best practice. This will equip the reader with a basic understanding of the benefits of threat intelligence and the importance of investing effort and resources into responding to it.

A definition of Threat Intelligence:
[It is] evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

Name of Exploit
Lucky ransomware (this malware is a variant of the ransomware called Satan)

Type of Exploit
Data encryption tool, worm, malware, ransomware, remote code execution, password brute force attack, file upload, change default configurations

How Exploit is Spread
The Lucky ransomware is spread by exploiting vulnerabilities found on 10 different server operating systems. Only one of the server-side vulnerabilities that Lucky uses affects Java server applications. The vulnerabilities that affect JBoss, Tomcat, WebLogic and Apache Struts 2 are all remote code execution vulnerabilities that allow attackers to easily execute operating system commands.

All of the vulnerabilities are straightforward to exploit, the exploits are publicly available for many of them that allow attackers to compromise vulnerable systems with minimal customization needed.

Several of the vulnerabilities used by Lucky were disclosed recently, which means that the risk of infection is big for organizations that have not yet patched their systems.

Global Risk
High– The latest variant has been discovered on systems belonging to financial institutions in late November and the ransomware has been described as capable of causing widespread infections worldwide. The ransomware has been described as adept at exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat and Apache Struts 2.

Download the full report

Leave a Reply