View on-demand webinar: http://bit.ly/2qoNQ8v
What you need to know and how to protect against the WannaCry Ransomware Attack, the largest coordinated cyberattack of its kind. WannaCry has already crippled critical infrastructure and multiple hospitals and telecommunications organizations, infecting 100s of thousands of endpoints in over 100 countries. In this on-demand webinar, we discuss the anatomy of this unprecedented attack and IBM Researchers share expert insights into what you can do now to protect your organization from this attack and the next one.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
WannaCry Ransomware Attack: What to Do Now
1. WannaCry Ransomware
WHAT TO DO NOW
Diana Kelley
May 16, 2017
Executive Security Advisor
IBM Security
Kevin Albano Jim Brennan
X-Force IRIS Global Lead for Threat Intelligence
IBM Security
Director of Strategy and Offering Management
IBM Security
2. 2 IBM Security
Overview
• What is WannaCry?
• The anatomy of the attack
• How to protect my
organization NOW
• Back to basics
• Best practices
• Next steps
3. 3 IBM Security
What is the WannaCry ransomware attack?
• Began on May 12 but leverages
previously known exploits
• Infiltrates endpoints and encrypts
all the files, demanding a ransom
payment $300 USD in bitcoin
• Exploits a known Windows
vulnerability that enables remote
code execution
̶ Microsoft Windows patch was
available in March; those who didn’t
address this patch are vulnerable
• Crippled at least 100K
organizations across multiple
industries in over 150 countries
• 200K+ infected endpoints
4. 4 IBM Security
What makes WannaCry so sophisticated?
• The malware uses highly potent
NSA exploits that were allegedly leaked
by “ShadowBrokers” in April 2017
• Exploits a flaw in the Server Message Block
(SMB) that enables it’s worm-like propagation
• Uses strong, asymmetric encryption,
employing the RSA 2048-bit cipher
to encrypt files
• Uses a modular architecture which is used in
legitimate software and in complex malware
projects like banking trojans
5. 5 IBM Security
WannaCry: The Anatomy of the Attack
• Crippled at least 100K organizations across multiple industries
in over 150 countries
• 200K+ infected endpoints
• $60,000 paid so far but will rise and paying ransom is not recommended
• Ransomware slowed down by the accidental discovery of a killswitch
• However new variants have emerged with no killswitch or different domains
LATEST INTEL
ROOT CAUSE
FIRST STAGE
EXECUTED PROPOGATION STEP 11 2 3 PROPOGATION STEP 24
invokes SMB protocol
for port scanning
Attempts ‘DoublePulsar’
backdoor to send WCry to
target endpoint , propogates
‘EternalBlue’ scans servers for
DoublePulsar’; If not found,
delivers Wcry and propagates
DROPS TOR CLIENT
INITIATES ENCRYPTION RANSOWARE NOTICE6 7
Launches Tor client
on infected endpoint,
anonymizing communications
Encrypts 160 file extensions
and deletes shadow copies
5
Displays ransomware
message with instructions
to decrypt
?
6. 6 IBM Security
How can I protect my organization now?
Scan for DOUBLEPULSAR during cleanup and confirm anti-virus
signatures are up to date
Reduce your attack surface by ensuring that all Windows
systems are patched (MS17-010)
Block SMB ports (particularly ports 139 and 445) from external hosts;
Block UDP ports 137 and 138 from the local network to the WAN
Disable SMBv1 and SMBv2 and only permit SMBv3
connections by policy on clients
Back-up critical data on a regular basis
1
2
3
4
5
7. 7 IBM Security
PATCH
Apply critical vulnerability
patches to reduce
attack surface
BLOCK
Protect
networks from
advanced threats
and malware
MONITOR
Leverage deep security
analytics to correlate
disparate data, detect
emerging threats
RESPOND
Orchestrate
an incident
response plan
Security best practices
8. 8 IBM Security
Fragmented defenses, slow to respond
Insufficient
Visibility
Sporadic
Endpoint Hygiene
Silos of Teams
and Tools
Patching 101: Where endpoint tools are challenged PATCH
9. 9 IBM Security
Ensure ability to discover and report on all endpoints (including
unmanaged ones) regardless of location and bandwidth
Automate patch deployment to impacted endpoints wherever
possible
Utilize closed-loop verification to ensure patch success
Apply critical vulnerability patches enterprise wide to
reduce attack surface
1
2
3
PATCH
Enable a state of continuous policy enforcement across
endpoints to reduce attack surface4
10. 10 IBM Security
Deploy network protection devices in-line
Ensure you have IP reputation and URL filtering feeds to
enable automatic blocking of malicious site access
Ensure network protection signatures, firmware are up-to-date
Block malware and advanced threats from entering into
your network
1
2
3
BLOCK
11. 11 IBM Security
Detect emerging threats by leveraging deep security
analytics
MONITOR
Get a common, correlated view with prioritization of security
analytics relevant logs, network traffic flows and user behavior
Deploy network security devices to detect malicious software
and exploit activity in real-time
Use cloud-based malware analysis service with automatic send/
receive capability for rapid for threat identification
1
2
3
Leverage cognitive to go beyond structured data limitation and
incorporate the latest global research insights on active threats4
12. 12 IBM Security
Get help from highly skilled experts with incident management
and security intelligence experience to help you during a crisis
Preparation is paramount; Develop an incident response plan
and test it to align people, processes and technology
Ensures IR processes are consistent, proven, easy to refine,
and compliant
Identify, detect, contain and remediate threats before they
spread and cause more damage
Transform incident response to align people, process,
and technology
Enable decisive action through complete IR orchestration
and automation
RESPOND
1
2
3
4
5
13. 13 IBM Security
PATCH
Apply critical vulnerability
patches to reduce
attack surface (BigFix)
BLOCK
Protect
networks from
advanced threats
and malware
IBM Security is here to help
• QRadar w/ Watson
• X-Force Exchange
• X-Force Malware
Analysis
• QRadar Network
Security (XGS)
• BigFix
• Resilient
• BigFix
• X-Force IRIS
MONITOR
Leverage deep security
analytics to correlate disparate
data, detect emerging threats
IBM Managed
Security Services
RESPOND
Orchestrate
an incident
response plan
14. 14 IBM Security
Next steps
• Follow the updates on X-Force Exchange
• Refer to X-Force Ransomware Response Guide to evaluate organizational readiness
• Learn more about protecting your organization: sign up for our webinar series to learn
more about monitoring, patching, blocking & responding
For immediate help, call the IBM X-Force Incident Response Hotline
USA +1-888-241-9812
Global +1-312-212-8034