Recently a ransomware variant titled “WannaCry” has infected thousands of unpatched endpoints worldwide.This quick presentation will provide a synopsis of what this threat might mean for end users and what actions can be taken in response to this new information.
2. The facts about WannaCry
On Friday, May 12, a ransomware variant titled “WannaCry” infiltrated several UK-based
National Health Service locations. Since then, it has spread across 200 countries and infected
more than 200,000 endpoints.
Microsoft has since released a patch to fix legacy operating systems
(Windows XP and onward). While a patch to remove the underlying
vulnerability (Windows Vista and onward) had been issued on March 14, delays
in applying security updates, and lack of support by Microsoft for legacy
Windows versions have left users vulnerable.
WannaCry is a ransomware variant that leverages a known Microsoft SMB
vulnerability – EternalBlue – targeting unpatched Windows operating systems
(Windows XP, 8, Vista, 7, 2012, 10, and Server 2003). Infected users
experience file encryption in exchange for a $300 bitcoin ransom. The malware
has been documented propagating laterally, rapidly infecting affiliated endpoints.
A short-term “kill-switch” was identified that prevented the infection of
additional systems. Since then, new variants of the malware, which lack the
kill-switch, have been reported. As of May 15, 2017, the threat is still
prevalent and at large.
1
2
3
WannaCry is the result of the recent leaked
NSA arsenal of exploits and tools by the
ShadowBrokers.
3. WannaCry details and misconceptions
Important information is getting lost amongst the online clutter – take the
time to eliminate all WannaCry misconceptions.
• The most common WannaCry variant uses IPC$ shares and SMB resources to propagate.
• WannaCry leverages the exploit EternalBlue – the vulnerability drops an executable onto the
targeted system and conducts a beacon check for the kill-switch domain. If it doesn’t receive a
response, then the malware executes the ransomware routines. See Endgame.com for more
detailed information.
• WannaCry installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery
harder. (Source: Malwarebytes)
• On the LAN, it scans for all enumerated addresses within its LAN with an open port 445 & 139
(i.e. the SMB port).
• On the internet, it scans for random IP addresses to see if it has an open port 445. If it finds one
with an open port, it scans all devices in the same /24 IP range (i.e. IP addresses that share the
first three octets) as the found address.
• WannaCry kills SQL Server, Exchange, MySQL and installs TOR on the endpoint.
• When the ransom demand-time elapses, the malware writes up to 1GB of free space on host-
disk and then deletes the file.
• A variant of WannaCry has been previously documented before this instance.
For more information,
please visit:
https://gist.github.com/rain-
1/989428fa5504f378b993ee6efbc0b168
https://www.endgame.com/blog/wcrywana
cry-ransomware-technical-analysis
https://www.malwaretech.com/2017/05/ho
w-to-accidentally-stop-a-global-cyber-
attacks.html
https://www.bleepingcomputer.com/news/s
ecurity/with-the-success-of-wannacry-
imitations-are-quickly-in-development/
4. Immediate actions – If you have
not been infected
Action Actions
Patch or
Inoculate OS
Determine your exposure and the potential risk implications – identify and document outdated windows operating systems. Update all
legacy software with the recent Microsoft patch. Update supported software with Microsoft’s March 2017 patch.
Back Up Your
Data
Make the time to back up all critical data to the cloud and/or to an external hard drive.
Create an image of your current operating system to prevent future data loss.
Disable Unused
Ports
Assess your organizational exposure for all internet-facing devices. Maintain a dynamic and frequently updated listing of active ports.
Close all unnecessary ports and adopt the principle of least privilege. Disable legacy protocol such as SMBv1.
Communicate Send internal alerts to educate employees on the WannaCry threat campaign.
Deliver security training sessions on threat mitigation tactics; foster a culture of organizational situational awareness.
Send external alerts to clientele; proactively address any efforts undertaken to combat the threat.
Schedule cadence meetings with your managed service providers and third-party vendors to discuss WannaCry. Address any/all
corresponding security measures they have undertaken to combat it.
Share this intelligence and actively collaborate with external stakeholders to manage any potential risk.
Enterprises can demand proof of change from vendors by asking for evidence such as records of change, patches deployed, etc.
Threat
Intelligence
Review your threat intelligence program (if there are none, refer to Info-Tech for guidance on setting them up) and ensure that they
are being consumed and actioned. Timely intelligence can give you a crucial head start against threat actors.
Endpoint
Protection
Install EPP vendor updates. Ensure endpoint protection solutions incorporate the most recent indicators of compromise and updated
signature lists. Adopt machine learning and heuristic-based analysis to monitor threats in real-time.
Leverage IOCs Organizations should block all connections to TOR nodes.
Block relevant indicators of compromise. Reference the appendix for a comprehensive list of IOCs.
Incident
Response
Formalize incident response procedures. Create detailed runbooks that actively address all mitigation and operational procedures in
the event that an endpoint is infected. Actively distribute runbooks and collaborate internally so that all security members are aware
of the required steps and procedures.
5. Immediate actions – If you have
not been infected
Action
Shut Down Shut down and disconnect any infected systems as part of your overall risk mitigation strategy.
Isolate the infected host if available.
Do not attempt to clean the system or run any AV or malware scans. These processes are done later.
Assess your organizational exposure for all internet-facing devices. Determine why open ports are open. Maintain a dynamic and frequently
updated listing of active ports.
Close all unnecessary ports (disable SMBv1) and adopt the principle of least privilege.
Don’t Pay After evaluating all possible outcomes – if you become infected, payment should not be an option.
Analyze the Scope Determine exactly how much of your network has been infected and how many files have been compromised.
Identify any connected devices that had access to the infected device. Create an inventory of infected devices so you know what must be
restored from backup.
For each connected device, check for signs of infection, e.g. perform a file scan for encryption, file rename spikes, or other signs of
ransomware.
Communicate Report your experience: organizations that have fallen victim to a ransomware attack are encouraged to work with their local law
enforcement office. US-based companies should report the incident to the FBI Internet Crime Complaint Center (IC3).
Send internal alerts to educate employees on the WannaCry threat campaign.
If client-facing operations have been impacted, work with your legal or field department to communicate to your customers. Proactively
address any efforts undertaken to combat the threat.
Locate Backups
and Restore Data
Google Drive, Dropbox, OneDrive – have you shared the data with someone else using a cloud-based storage service? Even if the data is
encrypted, these services will often allow you to revert your files to a previous state.
Removable media – did you put the files onto a USB, external hard drive, DVD, or some other removable media to transfer the data? If you
find you have copies on removable media, then manually verify the files by restoring to a separate computer. It is essential to verify the files if
using physical media, as these can tend to deteriorate.
6. A cost-benefit analysis can easily tell you what you should
do when it comes to ransomware
We live in the real world and often we work for companies looking to maximize their profits. It is practical for them to perform a risk-based cost
benefit analysis to determine whether to pay or not. To pay or not should be a business decision based on which option is most cost effective.
Consider these variables:
• What is the potential harm caused from losing that data or system? Is the data or system critical in nature? What is the potential impact to
the information system, the business process, or the organization? Are there adequate backups and a recovery process to minimize
operational interruptions?
• What is the relative cost associated with paying? Most ransom demands are meant to be reasonable to incite you to pay.
• What is the probability that your data will be decrypted? An “unethical” extortionist could receive payment and choose not to decrypt your
data.
• What is the probability that once you pay, you may be extorted in the future? An attacker could leave malware on your systems in the form
of a backdoor, which they could use to compromise you for additional ransom. An attacker could also spread the knowledge that you are
willing to pay, inciting other cybercriminals to attack you.
DON’T PAY: For most cases, paying the ransom does not make sense. It is the unequivocal recommendation from authorities,
vendors, and Info-Tech that you do not pay unless absolutely necessary.
These considerations result in the conclusion:
7. Best practices moving forward
Just because a patch is available does not mean it has been deployed. Many organizations run a few patching cycles behind. Conduct an inventory of current
operating systems and immediately patch vulnerable endpoints. Stay up to date with your patching efforts, and ensure other vulnerability management practices
(e.g. hardening, virtual patching, system isolation) are in place where appropriate.
Backup Your Data
Leverage Threat
Intelligence
Patching
≠
Security
Take a proactive approach to vulnerability identification. Leverage third-party open-source vendor websites and mailing lists to actively search for new indicators of
compromise and CVEs. Schedule regular scans and prioritize your patching efforts.
Drive Adoption
Assess Port Security Assess port security and exposure of internet-facing services related to affected RDP and SMB services. Standard ports include 139 and 445. Consider disabling
unused legacy protocol such as SMBv1.
Use this release as leverage not only to create organizational situational awareness around security initiatives, but also to drive adoption of foundational security
measures such as patch management, threat intelligence, and zero-day mitigation policies, procedures, and solutions.
Get in the habit of periodically backing up all sensitive data. Whether through cloud-based solutions or via external hard drives, sensitive data must be frequently
backed up and stored in a secure manner.
Plan For The Worst Formalize incident response procedures. Create detailed runbooks that actively address all mitigation and operational procedures in the event that an endpoint is
infected. Actively distribute runbooks and collaborate internally so that all security members are aware of the required steps and procedures.
Block Indicators
Information alone is not actionable. A successful security program contextualizes threat data, aligns intelligence with business objectives, and then builds processes
to satisfy those objectives. Actively block indicators and act on gathered intelligence.
8. Maintain a holistic security program
Respond
Analyze
Detect
Prevent
WannaCry is a good reminder that security threats are often unknown and unpredictable. The only way to maintain
effective defense is through a comprehensive and flexible security program.
Prevent: Defense in depth is the
best approach to protect against
unknown and unpredictable
attacks. Effective anti-malware,
diligent patching and
vulnerability management, and
strong human-centric security
are essential.
Detect: There are two types of
companies – those who have
been breached and know it, and
those who have been breached
and don’t know it. Ensure that
monitoring, logging, and event
detection tools are in place and
appropriate to your
organizational needs.
Analyze: Raw data without
interpretation cannot improve
security, and is a waste of time,
money, and effort. Establish a
tiered operational process that
not only enriches data but
provides visibility into your
threat landscape.
Respond: Organizations can’t
rely on an ad hoc response
anymore – don’t wait until a
state of panic. Formalize your
response processes in a detailed
incident runbook in order to
reduce incident remediation
time and effort.
9. Use this opportunity to conduct a security program evaluation
Integrate Threat
Intelligence Into Your
Security Operations
Humanize The Security
Awareness & Training
Program
Leverage Info-Tech’s various security
blueprints:
Enhance your organizational security posture
• Risk reduction
• Enhanced compliance management
• Improved organizational situational awareness
Create and clarify accountability and responsibility
• Formalized role and process responsibility
• Enhanced internal and external communication
Control security costs
• Incident reduction
• Streamlined security operations processes
• Strategy alignment
Identify opportunities for improvement
• Defined measurement programs
• Defined opportunities for continuous improvement
Effective information security management will help you:
Improve threat protection
• Intelligence-driven security operations process
• Optimized patch management program
• Improved effectiveness of internal controls
• Standardized operational use cases
Develop and Implement a
Security Incident
Management Program
Design and Implement a
Vulnerability
Management Program
Defend Against
Ransomware
10. Appendix* Indicators of Compromise
• Attached is a list of indicators of compromise issued by US-CERT (as of May 15, 2017). Take the time to ingest and
actively block indicators within all security controls.
11. Appendix* File Types
There are a number of files and folders WannaCry will avoid. Some because it’s entirely pointless and others because it might destabilize the
system. During scans, it will search the path for the following strings and skip over if present:
•"Content.IE5"
•"Temporary Internet Files"
•" This folder protects against ransomware. Modifying it will reduce protection"
•"Local SettingsTemp"
•"AppDataLocalTemp"
•"Program Files (x86)"
•"Program Files"
•"WINDOWS"
•"ProgramData"
•"Intel"
•"$“
The filetypes it looks for to encrypt are:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb,
.docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi,
.sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw,
.cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf,
.wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf,
.mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp,
.wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
12. Want to learn more,
joint to our webinar series at
http://cybercast.itpgsecure.com