Combat WannaCry & Jaff ransomware with well-instrumented DNS
May 12, 2017 saw the launch of two large-scale ransomware attacks that infected hundreds of thousands of computers in 150 countries.
Receiving most of the media attention, the WannaCry ransomware spread by exploiting a vulnerability in Microsoft Server Message Block (SMB), for which there was a patch issued in March 2017 but not implemented universally. WannaCry uses the resolution of a particular domain name as a breaker or kill switch. One best practice is to redirect its internal request for those domains to an internal sinkhole to prevent the encryption function from completing.
The other ransomware campaign, lost in WannaCry’s shadow, was Jaff, which was distributed through PDFs attached to emails. Infoblox had identified the malicious domain associated with Jaff and shared the information with our customers as early as April of this year.
According to Cricket Liu, chief DNS architect at Infoblox, "Both attacks highlight how important DNS infrastructure is to identifying and combatting malware. DNS becomes the perfect control plane to provide visibility of infected devices and prevent ransomware from encrypting data.”
Ransomware extracted $1B from unsuspecting victims in 2016, and it continues to be a leading cyberthreat well into 2017. Protecting against ransomware requires a multi-faceted approach. Organizations and individuals should keep systems patched, employ proper security hygiene, stay current with their threat intelligence, and plug security gaps, especially by instrumenting their DNS infrastructure correctly.
EVP & CMO, Infoblox