Threat Intelligence Report: Lucky Ransomware

Threat intelligence is an elusive concept. Cyber-security vendors have developed numerous definitions for it based upon different procedural viewpoints. As a result, the key concept and principle of threat intelligence is explaining the role it plays within cyber-security and network defence, while offering advice and best practice. This will equip the reader with a basic understanding of the benefits of threat intelligence and the importance of investing effort and resources into responding to it.

A definition of Threat Intelligence:
[It is] evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

Name of Exploit
Lucky ransomware (this malware is a variant of the ransomware called Satan)

Type of Exploit
Data encryption tool, worm, malware, ransomware, remote code execution, password brute force attack, file upload, change default configurations

How Exploit is Spread
The Lucky ransomware is spread by exploiting vulnerabilities found on 10 different server operating systems. Only one of the server-side vulnerabilities that Lucky uses affects Java server applications. The vulnerabilities that affect JBoss, Tomcat, WebLogic and Apache Struts 2 are all remote code execution vulnerabilities that allow attackers to easily execute operating system commands.

All of the vulnerabilities are straightforward to exploit, the exploits are publicly available for many of them that allow attackers to compromise vulnerable systems with minimal customization needed.

Several of the vulnerabilities used by Lucky were disclosed recently, which means that the risk of infection is big for organizations that have not yet patched their systems.

Global Risk
High– The latest variant has been discovered on systems belonging to financial institutions in late November and the ransomware has been described as capable of causing widespread infections worldwide. The ransomware has been described as adept at exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat and Apache Struts 2.

Download the full report

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s