On Friday, 12 May 2017, corporate computing systems worldwide saw the largest and possibly most damaging Windows-based ransomware attack seen to date. Companies such as Telefónica in Spain and FedEx in the US reported being affected, and most troubling, several organisations within the UK's National Health Service had an extreme disruption in its ability to provide healthcare as the ransomware spread from machine to machine.
This incident is different from any other because it is a union of the old and new. This implementation has coupled “wormable” self-propagation capabilities as seen in 2003 with the crippling “Denial of Data” effects of 2016.
This goes to show that the weeks-old adage of “ransomware is so 2016” is not only entirely off the mark, but also that ransomware is no joking matter. The detection and prevention of ransomware and other data-destructive malware continues to be one of the highest critical cyber-security priorities in 2017.
Below, we outline details and methods you can use to combat WannaCry and ransomware in general, and if you're a security professional scrambling to raise your defences further, the information should be very timely.
Details about the WannaCry exploit
WannaCry malware is extremely virulent and fast moving, and goes by several other names including “WnCry” and “Wanna Decryptor” and “WannaCrypt0r.” Although the initial infection vector is uncertain at this time, many researchers speculate it to be, with near certainty, phishing or drive-by web download. It infects systems through an exploit to Microsoft's “Server Message Block” protocol (SMB).
A previously-unknown (zero-day) vulnerability to SMB was released via the Shadow Brokers purported dump of NSA-curated material, which occurred on 14 April. Microsoft has had patches available for all supported versions of their OS (Vista through Server 2016) since mid-April.
Like most ransomware variants, WannaCry encrypts many different types of data files, and then displays a popup to the victims, to inform them that in order to get their files back, they must pay the ransom via bitcoin or US dollars.
Guidance for WannaCry
- If not already 100 percent compliant, organisations must implement the patches that mitigate MS17-010 which can be found here.
- Organisations should implement and exercise their continuity of operations plan, if they do not have one consider taking time to develop one, even a modest plan can be better than having nothing.
- Organisations should implement regular backup mechanisms and test data recovery of assets such as workstations and servers. It is also important to establish increased security and monitoring around such backup architectures to ensure attackers do not also undermine centralised enterprise backup and recovery capabilities.
- Due to the self-propagating nature of this threat, organisations should determine where they might be vulnerable and if operationally feasible, compartmentalise their network to self-contain vulnerable assets until they can report 100 percent patching compliance.
- Organisations might want to consider implementing internal network blocks or disabling the SMB service all together if operationally feasible.
- Organisations can monitor internal network segments for unusual SMB v1 connections (TCP/139, TCP/445) be it scan activity or other.
- IDS rules have been available as early as 4/18/2017 to detect exploits of MS17-010.
- Most Windows ransomware tries to delete automatic backups by calling the “vssadmin” service.
- Ransomware often drops unusual executables on the system. WannaCry uses The Onion Router (TOR) executable to communicate for anonymised command-and-control.
- Ransomware almost always has unique file extensions that can be used as signatures for early detection.
- For critical assets (that are not Windows 10), organisations can consider running Microsoft Enhanced Mitigation Experience Toolkit.
The key for detection of ransomware is to find it early and contain it quickly. If, for example, you have unusual network activity to the C2 infrastructure for WannaCry then you could theoretically use an Adaptive Response or a manual process to block that communication so that the ransomware cannot properly execute and cause damage.
The current variant of WannaCry includes a “kill switch” routine, which runs before the self-propagation and encryption routines. When WannaCry executes for the first time on the host, it attempts to establish a connection to “http[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. No secondary files are downloaded, the malware simply seeks to connect, and if it does, the program exits.
Which means if the domain is blocked and the connection fails, the program will drop and execute the ransomware component. (Note this domain has been sinkholed which has enabled MalwareTech to measure and track infections.)
Organisations might want to consider implementing a local equivalent. By establishing a Response Policy Zone (RPZ) for this domain and redirecting it to an internal non-production web service one can deceive the malware in executing its kill switch routine thus neutering the threat. It is also possible to obtain real-time indications and warning of any infection attempts, allowing investigation and conducting root cause analysis without suffering through the effects of a data destructive attack.
There are early indications that the framework for WannaCry might be modular in nature meaning it would be trivial for the WannaCry authors or copycat attackers to deliver follow on waves of self-propagating malware with different payloads that deliver different effects. Not all too different than a missile (the delivery vehicle) which carries a purpose-built warhead that can be interchangeable. It is important for organisations to maintain increased vigilance with agile and adaptable response capabilities due to the fluid nature of this risk.
Contributed by James Brodsky, Splunk Security SME & Rich Barger, director, Splunk Security Research
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.