How to Defend Against Sorebrect Ransomware | ExtraHop

South Korean web hosting company Nayana just went public with their ongoing ransomware crisis: they're doling out $1.01 million to retrieve encrypted business websites. Nayana was attacked using the Erebus malware, first detected in fall 2016, likely through a Linux vulnerability.

Nayana's successful ransom begs the question: If we know about new ransomware strains in advance, how can we get better at actually stopping them? Until everyone can afford top notch IT security and dedicated threat hunting teams, let's start with more information, shared faster.

SOREBRECT is the newest player in the ransomware bracket, but you'll hear its name again. Here are three crucial steps you can take to help keep your organization out of that headline:

  1. Limit User Write Permissions and PsExec Privilege

SOREBRECT uses the Tor network protocol to scan and encrypt network shares, like most ransomware, but it also encrypts files with Microsoft's Sysinternals PsExec command-line utility. The ransomware itself, however, is fileless. It infects a targeted system and then destroys itself in order to avoid detection—but not before deleting the infected system's event logs and other forensic evidence.

This makes SOREBRECT extremely difficult to trace, so your best defense is a strong offense. Not only should you know exactly who in your company can access your systems, but you need to restrict those users to experts with a solid grasp of cybersecurity practices.

  1. Put Someone in Charge of Keeping the System and Network Updated

This one seems like a no-brainer, but look at WannaCry: most systems hit by that strain were compromised because of a simple failure to apply a patch. You should be performing regular audits to make sure your infrastructure is up to date—but if it's everyone's job … Well, you know how that goes.

That's why we recommend charging one person with proactively checking for new patches and updates to your systems on a regular basis, and making sure the organization keeps to a systems audit schedule.

  1. Invest in Cybersecurity Awareness

Since ransomware was invented, the biggest weakness any organization has faced is human failure. Attacks are getting more serious and more frequent, and as Sen. Angus King of Maine put it, "The next Pearl Harbor will be cyber."

Send users to cybersecurity training. Test them with fake phishing emails (learn how at Dark Reading). Don't stop at one training; set up a regular training and testing cycle. Rinse and repeat.

Even if you follow all these steps, odds are good your organization will face attempted attacks. With strains like SOREBRECT, where forensic evidence is next to impossible to find, you need a way to detect suspicious behavior the second it occurs on the network.

That's where ExtraHop comes in. Learn how you can use real-time analytics for aggressive action against potential attacks here: Ransomware Detection and Prevention.

This is a companion discussion topic for the original entry at