TECHNICAL ADVISORY: WannaCry
Category : Threat Advisory
Planet Earth suffered the largest ever Global Ransomware Attack on Friday 12th May 2017.
Over 100 countries impacted; ranging from individuals to large organisations including the British NHS, Nissan, Telefónica and Renault. The ransom requested ranged between $300 – $100,000’s to be paid in Bitcoin causing global damages of over $700m.
On Friday 12th May, Performanta’s Security Operations Centre (SOC) alerted us to the world’s biggest ransomware attack, well before the global pandemic started. (Estimation is over 200,000 machines infected)
Due to the quick response by the Performanta technical teams, we have implemented all the relevant protections on customer’s antimalware solutions to mitigate the attack, as well as worked with customers to patch MS17-010 and disabled SMBv1 where possible.
This attack starts with a phishing email that contains an attached ZIP file that lures the target to execute the ZIP file contents holding the ransomware payload, this is the start, from that point it will infect the machine, but also start attacking nearby machines on the network, this is done by taking advantage of a vulnerability that allows to run the payload remotely on these machines without user interaction – that’s the reason it’s so wide spread.
Microsoft patched this vulnerability a few months back, however, many organisations haven’t patched it, the Microsoft patch needed for it to stop spreading is MS17-010 (NSA ShadowBrokers leaked exploit code ‘Eternal Blue’ CVE-2017-0143). https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Performanta remains ever vigilant to secure our customers worlds, together. We are at your service should you require assistance. All customers are advised to continually and responsibly patch their systems, and ensure a defense-in-depth strategy for combating ransomware.
Advice and Guidance:
- Email – review security policies to harden threats infiltrating the perimeter
- Do users really need to accept Macro based word document (DOCM) from outside the organisation?
- Do users need to receive .html, .js, .vbs, wsh files from external sources? (including inside compressed archives like ZIP)
- Do users need to receive executables from external sources?
- Active Directory
- Malware and ransomware are designed to run in user accounts – can more control be introduced with Applocker or SRP to prevent users from running executable from dubious locations? For e.g %TEMP% folder and other locations, or perhaps blocking executables running in user space?
- Can wscript.exe (Windows Script Host) and Powershell be blocked from running on certain machines?
- Office 2016 has features that allows to control Macros better which can be configured in group policy https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
- Additional Active Directory security guidance can be found at https://adsecurity.org/
- Web Security Gateway
- Malware and ransomware mostly employ first a downloader mechanism to download the main ingredient component from the web – are web policies optimised to reduce risk accessing dubious websites
- It’s important to keep in mind that actors employ compromised websites and domains with good reputations – This could be addressed by blocking access to newly created domains
- Endpoint protection
- Does the existing endpoint protection platform allow for custom execution polices to be made? Similar to the policies that can be done with Applocker and SRP above in AD.
- Application and Script control:
- Blocking and controlling application execution on user space (whitelist, blacklist)
- Blocking and controlling wscript.exe, powershell.exe, Macros on endpoints is crucial to block ransomware and other advanced threats
- Endpoint protection and Endpoint Detection and Response solutions
- Some solutions in this space offer advanced Machine Learning based components to combat malware and ransomware. Visibility of blocked threats is important: the additional added advantage of these type of solutions is the visibility they offer so you know what the ransomware threat tried to impact your organisation
- CrowdStrike has a built-in component that can be activated on the endpoint to prevent ransomware from running
- McAfee ATD and TIE
- Checkpoint Threat Emulation and extraction
- Email sandbox:
- Can prove to be very effective in blocking ransomware, however, it’s good to know variants are designed to avoid it so it’s just another layer. For e.g., a few months ago, the Zepto ransomware variant managed to evade the FireEye NX appliance per some feedback observed in a security email list.
Performanta will continue to update customers as we monitor this evolving attack. If you think you have been a victim of the WannaCry infection, please email your account manager immediately. Please also inform your employees to be extra vigilant and not to open any unrecognised and unexpected emails.