Threat Research

Security Advisory: Meltdown and Spectre Vulnerabilities

Between January 3 and 4, 2018, three vulnerabilities in processor hardware were made public that affect nearly all modern architectures. Impacted architectures include Intel, AMD, and ARM. If successfully exploited, an unprivileged process on an affected system could read privileged…

Read More

Bad Rabbit Ransomware Technical Analysis

Update: Further analysis of the code revealed new information regarding the spread of Bad Rabbit across the network. This post has been updated to reflect this new information. Bad Rabbit Ransomware Background On the afternoon of October 24, 2017 (BST),…

Read More

Mamba Ransomware Analysis

Mamba Ransomware Background In September of 2016, a strain of ransomware was found in the wild which performed full disk encryption. According to Kaspersky Lab researchers1, this ransomware strain named “Mamba” now appears to be re-circulating, primarily in Brazil and…

Read More

NotPetya Technical Analysis

In our Detecting Petya/NotPetya post earlier this week, we described the way in which NotPetya (or “Nyetna” as it has also been named) spreads to other systems on the network without use of the ETERNALBLUE/ETERNALROMANCE SMBv1 exploits. (Although the code…

Read More

Detecting Petya/NotPetya Ransomware

Petya / NotPetya Poses Risk to Even Patched Systems On the morning of June 27, 2017, a new ransomware outbreak—similar to the recent WannaCry malware—was discovered in the Ukraine. The malware quickly spread across Europe, affecting varied industries such as…

Read More

Detect WannaCry Initial Exploit Traffic with NetMon

The WannaCry ransomware campaign is just the latest wave of malware to target exploits in core networking protocols. And you need to protect your network with advanced threat detection. The ransomware spreads to unpatched Windows systems (see Microsoft Security Bulletin…

Read More

A Technical Analysis of WannaCry Ransomware

Contributors to this in-depth research analysis include Erika Noerenberg, Andrew Costis, and Nathanial Quist—all members of the LogRhythm Labs research group. Summary Ransomware that has been publicly named “WannaCry,” “WCry” or “WanaCrypt0r” (based on strings in the binary and encrypted…

Read More

WannaCry Ransomware

WannaCry: What We Know It is worth noting that the first WannaCry infection was reported on February 10th then again on the 25th. We will refer to this as “version 1.” This did not have a widespread impact. On the…

Read More

Analysis of Shamoon 2 Disk-Wiping Malware

Shamoon 2 Malware Background On August 15, 2012, a Saudi Arabian energy company was infected with disk-wiping malware in a targeted attack. The malware, known as either “Shamoon” or “DistTrack,” reportedly infected nearly 30,000 machines at the company in this…

Read More