회사소개

제품

안내

고객지원

Company

Product

Information

Support

Thông tin về công ty

Sản phẩm

Thông tin

Hỗ trợ chung

Notice

Title Date
NPCore participated in 'ISEC 2017' ... 'ZombieZERO EDR for Server' was debuted and demonstrated
[Picture : NPCore participated in 'ISEC 2017' held in COEX from Sep. 5th ~ 6th to show 'ZombieZERO EDR for Server', new product for server security. NPCore's sales manager Lee, Gun-Woong was watching the demo video and explaining new products to VIPs composed of gov. officials.]
Recently in Korea, there was the biggest security incident that the servers of Korean hosting company were attacked by the variant Ransomware. So the sense of crisis for Ransomware has raised and security measures and security awareness of gov. agencies and enterprises have been further strengthened. As a result, NPCore(CEO Han, S.C.) first introduced its new server security product, 'ZombieZERO EDR for Server' at the '11th International Security Conference (ISEC 2017)' held on Sep. 5 ~ 6. The 11th annual ISEC is the largest cyber security conference event in Korea. In this event, NPCore showed and demonstrated 'ZombieZERO EDR for Server', which is the Whitelist-based APT / Ransomware response solution installed on the server and is aimed at the security manager of gov. agencies and enterprise along with Nicstech, Secucen and CoreInfra. NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior. Existing security solutions (signature-based Anti-virus) cannot respond against APT (targeting malware) and new / variant Ransomware such as WannaCry and Petya, and traditional Sandbox technology is vulnerable to malware bypassing virtual machine, new and variant Ransomware and attack through encryption section (SSL communication). To overcome these limitations, the importance of EDR (End Point Detection & Response) technology has been highlighted. In line with this, NPCore released 3 security products for endpoints (▲ ZombieZERO EDR for APT- Endpoint Security against APT, ▲ ZombieZERO EDR for Ransomware- Endpoint Security against Ransomware, ▲ ZombieZERO SECaaS (Security as a Service)- Cloud type Security) And NPCore recently released 'ZombieZERO EDR for Server' due to the biggest recent server's security incident and built it up in the OO Broadcasting Station. ZombieZERO EDR for Server is installed on the Windows server and blocks the execution of new/variant malwares in real time through the whitelist-based execution holding function. And it analyzes/detects known and unknown malwares through the central analyzer (ZombieZERO Inspector) to make the system execute only secure file. [Operation sequence of 'Zombie Zero EDR for Server'] 1) Server access → Blocking execution of processes not registered on the whitelist. 2) EXE file analysis :  Malicious file is blacklisted and isolated. / Normal file is added to Whitelist. 3) If the analysis result proved to be normal, the file is executed normally and you can check it. / If malicious file, the EXE file is blocked by EDR.
[Picture: NPCore's director Kim, Mu-Jeong was giving a speech on 'APT and Ransomware Defense System centered on endpoint utilizing advantage of Sandbox' at conference room A of COEX on Sep. 5.]
On the first day of the conference, NPCore's director Kim, Mu-Jeong gave a speech on 'APT and Ransomware Defense System centered on endpoint utilizing advantage of Sandbox'. Mr. Kim proposed the direction of Ransomware blocking technology and proceeded real time Q & A via Facebook. After the speech, many people came to the exhibition booth and asked many additional questions. WannaCry Ransomware blocking demo video and demonstration were also conducted at the booth and led the response. NPCore, CEO Han, Seung-chul said, "Many people from various companies including gov. agencies, military, media companies, and SI companies consulted and asked for a follow-up visit and proposal. So we were able to confirm positive responses to EDR products and achieve business results more than expected."
2017.09.10

WannaCry ransomware massively attacks computer systems all over the world

Author
admin
Date
2017-05-14 21:45
Views
280
wannacry infection map

A new ransomware strain named WannaCry (aka WannaDecryptor, aka WannaCryptor, aka WanaCypt0r, aka WCry) has infected more than 57,000 computers in 74 countries around the world so far.

According to Avast malware researcher Jakub Kroustek, most of the detections are coming from Russia, Ukraine, India and Taiwan.

wannacry attack distribution

Kaspersky Lab forum users report that the WannaCry ransomware managed to infiltrate the internal computer system of the Ministry of Internal Affairs of Russia and Investigative Committee of Russia.

“It first appeared in February 2017, but now it’s updated and looks different than previous versions”, said one of the Kaspersky Lab forum users.

Spain’s Computer Emergency Response Team CCN-CERT also posted an alert on their site about a widescale ransomware attack affecting a few Spanish organizations.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions.

The WannaCry attacks are initiated using an SMBv2 remote code execution in Microsoft Windows OS. The EternalBlue exploit has been made publically available through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. However, many companies and public organizations have not yet installed the patch to their systems.

The ransomware encrypts the files and also drops multiple ransomware notes on different languages. WannaCry demands to pay $300 in Bitcoin wallet.

WannaCry virus provides timer countdown warning that the payment amount will be raised after 3 days and the victim will completely lose their personal files after 7 days.

wannacry ransom demand

The ransomware also changes the victim’s wallpaper with instructions on how to pay the ransom demand and how to get the decryptor tool.

wannacry ransom note

The transactions statistics of Bitcoin wallets used by WannaCry creators show that some of the victims have already paid the ransom.

The file extensions targeted by the WannaCry ransomware include:
  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).

  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv).

  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).

  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).

  • Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).

  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).

  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).

  • Virtual machine files (.vmx, .vmdk, .vdi).


How to Prevent WannaCry infection?

1. Make sure that all hosts have enabled endpoint anti-malware solutions.
2. Install the official Windows patch (MS17-010), which closes the SMB Server vulnerability used in this ransomware attack.
3. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Make sure MS17-010 patches are installed.
4. Backup all important data to an external hard drive or cloud storage service.

[Source : MalwareLess, May 12, 2017, https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world]

A more obvious defense is to install a Zombie ZERO that defends a new Ransomware based on behaviors.
Zombie ZERO can defend the second WannaCry against new and variant Ransomware without signatures. Existing antiviruses can not prevent the upcoming WannaCry, a new malware.
For more information, please call +82-2-1544-5317 or visit www.npcore.com.

Go to Ransomware Response Solution on Endpoint : ZombieZERO EDR for Ransomware