By Ron Temske, Vice President of Security Solutions, Logicalis US
Recent large-scale ransomware attacks have placed a premium on information about ransomware and what you can do to best protect your organization. Please note – ransomware attacks continue to spread, even as this blog is published, so new information may expand on (or contradict) what’s noted below. This post is current as of May 15, 2017.
The attack, known as WannaCry (and many variant names such as WannaCrypt, WannaCryptor, etc.) is a derivative of an attack named Wana Decryptor which was first detected in early May attacking several UK hospitals. It quickly spread and by mid-day Saturday, May 13, 2017, an estimated 126,000 systems in over 100 countries had been impacted by this attack.
There have been similar notable ransomware attacks against the National Health Service in the UK, Telefonica in Spain and FedEx in the United States. The attacker is deploying common ransomware techniques of encrypting a hard drive and demanding payment ($300 USD worth of bitcoins in this case, with an escalating ransom if not paid promptly).
The attack leverages a vulnerability in the Microsoft Windows Operating System, identified in Microsoft security bulletin MS17-010. The vulnerability affects the SMB service (Server Message Block) which is used for file, print and other services within Windows.
Two exploits that take advantage of this vulnerability – DoublePulsar and EternalBlue – were created by the NSA and subsequently stolen and released by an underground hacktivist group called Shadow Brokers. These exploits are not specific to this recent ransomware attack and could be used to install virtually any malicious code on a machine. The current attacks first scan for the presence of DoublePulsar and leverage that backdoor if present. If not present, they utilize EternalBlue to exploit an SMB vulnerability. Many articles have already been written on the history of the attack, so I will focus instead on remediation and prevention.
If you have already been compromised by the attack, your normal options remain: you can restore your data from backup or you can pay the ransom. Additionally, because the method of propagation is so strong you must consider systems beyond those that were obviously infected. There is no guarantee that an attack won’t be launched again if you pay the ransom, so if you do have to pay – ensure that the infected system has been cleaned so the ransomware can’t be reactivated. Please note that, while the actual malware is fairly easy to remove (unlike many other strains), simply cleaning the malware won’t help with files that are already encrypted, but it will prevent further activation.
Many researchers are working on creating a decryption algorithm and there’s good progress being made, however waiting for that research to be successful is a dangerous game. If you should decide to take this risk, I recommend turning off the machine, disconnecting from the network and not turning back on until a decryption is available and you have expert assistance.
There are several preventative steps that can be taken if you have not already been infected:
- First – Ensure that your systems are fully patched on Windows – WannaCry leverages a known vulnerability for which a patch exists, so this is by far the most critical step that should be taken immediately. The Microsoft security bulletin MS17-010 contains a link to the necessary patch as well. This only addresses this particular attack of course and does not protect against other strains.
- Second – SMB ports 139 and 445 should be blocked from all externally addressable hosts and through segmentation, where possible, to block attempts to exploit the vulnerability.
- Third – Conduct a vulnerability scan of your environment to determine which machines need this update. Generally speaking, a scan won’t identify the presence of an Advanced Persistent Threat (like Double Pulsar), but it can at least tell you if your systems have unpatched vulnerabilities that could be further exploited.
It’s worth noting that I’m hearing some reports of scans giving false negatives – indicating that the patch is not present on a fully patched system. Thankfully, I have not heard any reports of false positives yet.
For a more holistic approach to ransomware, there are a few key steps that should be taken to provide protection:
- First – Upgrade to a next generation endpoint solution if you’re still using a signature-based approach. These newer solutions leverage machine learning and can identify behaviors – not just pattern matching. By identifying suspicious behavior, even highly polymorphic attacks can be identified.
- Second – Use a secure DNS solution. With a secure DNS solution in place, even if the malware were to infect one of your systems, the C2 (Command and Control) request can frequently be blocked – preventing the malware from obtaining further instruction and/or encryption keys.
- Third – Deploy behavioral analytics tools to look at activity beyond the host level and evaluate observed behaviors. This can also help you identify other suspicious behaviors that are not specific to malware, for example clients utilizing TOR to circumvent normal detection methods. TOR is also frequently utilized when making the ransom payment so you would be able to detect that activity in your environment.
CAPTION: This screenshot shows one of the ransom payment screens for those who are curious (courtesy of bleepingcomputer.com).
Finally, perhaps one of the first steps you should take is to contact a qualified and certified managed security provider that can help you develop a security strategy and adopt a security posture so you can manage and mitigate risk before, during and after an attack.