WannaCry – Where we are right now

On Friday, 12 May 2017, a large cyber-attack using WannaCry ransomware was launched, infecting more than 200,000 computers in over 150 countries. In this blog, we outline what the attack was and what organisations should be doing to protect and defend themselves from this attack and similar attacks that may occur in the future.

So what is WannaCry and why all the Hype ?

The first thing to understand is that WannaCry is a ransomware attack, and in that regard is very similar to ransomware attacks that we see and deal with on a daily basis.  Malicious code runs on an end system encrypting files and then demanding a ransom, typically in Bitcoins. The strong encryption (RSA-2048) used by WannaCry ensures that it next to impossible to decode by other means, although there are some tools such as WannaKiwi which can work in some circumstances. This leaves users with the option to either pay the ransom in the hope that they will get their data back, or wipe their machine and restore from a backup that they should have.

What makes WannaCry different from most ransomware is that in addition to infecting a local machine and its attached drives, it can also infect other machines that it can connect to using known vulnerabilities. In finding its way to new endpoints and networks, WannaCry scans for hosts with port 445 open (port 445 is the port over which  the Server Message Block (SMB) network communications protocol takes place), and then leverages two known SMB exploitation modes to compromise these hosts and infect them with the ransomware malware and the cycle continues.

So how could have this have been stopped.

There are two aspects to answering this, first how could the initial infection have been stopped, and secondly how could the ransomware worm have been stopped from replicating through networks.

Looking first at how the ransomware could have been stopped spreading through a network, this is relatively straightforward. The vulnerability MS17-10 has been known and patches have been available for most of the Microsoft systems affected since April 2017. Identifying, testing and patching vulnerable hosts is a simple matter, and would have been the first line of defence for this attack.
Using tools such as IBM QRadar Vulnerability Manager (QVM), or Qualys you can very quickly identify hosts that are vulnerable and then use a tool such as IBM BigFix to rapidly deploy patches.

Any organisation that had its patching regime up to date would have been able to stop an infected host infecting the rest of the network. At the time of writing it appears as if the only initial vector for WannaCry has been an infection based in the SMB vulnerabilities, and so for organisations that were properly patched the most likely would have stopped the initial infection.

In addition, network segmentation and restricting the allowed communication flows between zones to prevent the spread of worms within the organisation and between organisations/partners would have prevented the spread of the malware.
Finally, at the network level, IPS and firewalls such as Fortinet’s Fortigate and IBM’s XGS have had signatures in place to detect and block command and control communication traffic. These signatures would have been in place since April. If you allow external access SMB to internal hosts (ports 139 and 445), these should be blocked using perimeter security devices as well.

I haven’t had an outbreak should I do anything now?

Even if you haven’t had an outbreak there are a number of things you should be doing right now:
First ensure that all your systems are patched using solutions such as IBM BigFix, and for those legacy system that for some reason you cannot patch either isolate them from the network, or use application whitelisting using solutions such as those from McAfee and Carbon Black, which ensure that the end systems can only run and execute programs known and permitted by your security policy.

In addition to patching the endpoint, organisations should consider disabling SMBv1, and SMBv2 on endpoints only permitting SMBv3, and should search their networks using tools such as BigFix Query to determine if there are any infected endpoints on their network that need to be remediated.

You should ensure that your anti-virus product has the latest signatures and IOCs.

Lastly review and re-educate your workforce through security awareness programs.

Ward Solutions Managed Security Services:
As you can see protecting, defending, detecting and responding to cyber-attacks such as the WannaCry ransomware requires an organisation to have capability and cyber security skillsets across a range of endpoint, server, application, and network infrastructures.
At Ward Solutions, we have developed a set of interconnected security consulting and managed services to help organisations to help organisations tackle these complex demands.

Delivered from our Security Operations Centre (SOC), we provide:

• Ransomware Protection Services. A set of interconnected services, specifically aimed at ransomware.
• Vulnerability Management Services (QRadar/Qualys), which assess the level of risk by exposing vulnerabilities in an organisation.
• Information Protection solutions such as managed firewall, IPS, endpoint and patch management to protect an organisation from the latest cyber threats (Fortinet, IBM, McAfee).
• Security Analytics (SIEM) to detect whats happening across a complete organisation, covering endpoints, servers, mobile devices, applications, databases, networks and users.
• Embedded threat intelligence, which enrich all our services with the latest indicators of compromise and indicators of attack.
• Incident Management services which orchestrate and manage response to security incidents.

Ransomware Defence – what to have in place in case of other ransomware attacks?
As we said at the start, ransomware is something that we encounter on a daily basis, so what are the main steps you should be taking to protect against future attacks (note that these are addressed in more detail through our Ransomware Protection Services:

1. Implement security awareness and training programs so that everyone in your organisation is aware of the threat of ransomware and how it’s delivered to endpoints.
2. Perform regular backups, as in the event of a successful attack these may be your only option for service recovery.
3. Configure perimeter security devices such as Next Generation Firewalls and IPS to block known malicious IP addresses.
4. Implement a centralised vulnerability and patch management solution.
5. Implement mail gateway solutions with SPAM filtering to filter phishing emails and detect and filter executable files from reaching end users.
6. Implement next generation antivirus solutions, which not only protect, but can also detect and respond to security threats.
7. Implement a holistic and centralised security operations and management approach through a Security Operations Centre (SOC).
8. Have a documented and tested Incident Response capability.

Ward Solutions is Ireland’s leading information security provider. Contact sales@ward.ie / sales@wardinfosec.co.uk or call +353 1 6420100/ +44 28 90 730 187 to discover our range of information security solutions and discuss your unique requirements.

Ward Solutions Update II- Security Advisory Notice: Ransomware Wannacry

Security Advisory Notice – Ransomware Wannacry –Ward Solutions Update II
Issued by Ward Solutions Security Operations Centre
May 15, 2017

Following on from our Security Advisory Notice – Ransomware 12^th May 2017 we have additional vendor specific recommendations that may be applicable to your environment as listed below.

Microsoft

Ensure patched on MS17-010 and disable outdated protocol SMBv1.
Microsoft have taken the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.

Relevant links to patches via:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

McAfee

Create a custom access rule in AV to block *.wcry, *.wnry, *.wncryt and  *.wncry. extensions or create it on your email gateway/IPS so it quarantines all attachments with the *.wcry, *.wnry, *.wncryt and  *.wncry extension.

Firewalls / IPS

We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from eGov Networks):

197.231.221.221                128.31.0.39                         149.202.160.69
46.101.166.19                     91.121.65.179                     2.3.69.209
146.0.32.144                       50.7.161.218                       217.79.179.177
212.47.232.237                  81.30.158.223                     79.172.193.32
38.229.72.16

We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from various sources ie McAfee, Payload Security, Cisco Talos etc.):

104.131.84.119                  128.31.0.39                         136.243.176.148                146.0.32.144
163.172.153.12                  163.172.185.132                163.172.25.118                  163.172.35.247
171.25.193.9                       178.254.44.135                  178.62.173.203                  185.97.32.18
188.138.33.220                  188.166.23.127                  192.42.115.102                  193.23.244.244
198.199.64.217                  2.3.69.209                            212.47.232.237                  213.239.216.222
213.61.66.116                     213.61.66.116                     217.172.190.251                217.79.179.77
50.7.151.47                         51.255.41.65                       62.138.10.60                       62.138.7.231
82.94.251.227                     83.162.202.182                  83.169.6.12                         86.59.21.38
89.45.235.21                       94.23.173.93                       185.97.32.18                       136.243.176.148

Key Reminders:

As recent news indicates WannaCry may potentially change variant and continue to breach organisations defences so key reminders on the basics of protecting against ransomware:

• New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
• Keep operating systems and other software updated.
• Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments. Ensure all staff are reminded to be extra vigilant.
• Be extremely wary of any Microsoft Office email attachment that advises to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
• Backing up important data is the single most effective way of combating and recovering from a ransomware infection. Ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
• Isolate unpatched systems from the larger network.
• Ensure that access to files and fileshares is on a least privilege basis

What Makes WannaCry Notable

While WannaCry (WanaCrypt or Wcry) is ransomware that works like other malware of its type it has a few additional intricacies that highlight just how sophisticated Ransomware is becoming:

• Technically the WannaCry ransomware behaves like many other similar malwares but with the additional ability to leverage an SMB exploit to worm its way through a network and infect numerous users
• The Malware was a leaked exploit which often gives rise to malicious actors utilising them for ill gain as on this occasion
• The Malware uses strong symmetric encryption employing RSA 2048-bt cipher to encrypt files.
• The malwares architecture is modular so more than likely this malware is generated by a group rather than an individual actor.

Further information on the WannaCry Ransomware and how it works can be found at:
https://securityintelligence.com/wannacry-ransomware-spreads-across-the-globe-makes-organizations-wanna-cry-about-microsoft-vulnerability/

If you would like additional information or would like support in implementing preventative measures in your environment, please call us at +353 1 642 0100 or +44 (0) 28 9073 0188 e-mail us at support@ward.ie or sales@ward.ie, as appropriate.

Immediate Action Required: Critical Security Advisory – Wannacry Ransomware!

 
Ransomware has become such a pervasive threat to industry and the public at large, that it is now a household name. More recently, however, the vectors through which the virus spreads have changed, making ransomware more dangerous than ever before.
 
On May 12^th, Reuters reported a number of high profile Spanish companies had been hit by a new strain of Ransomware called Wannacry, leading to significant disruption to business operations. ¹ The Spanish National Cryptological Centre (CCN) have confirmed this report, and have labelled this a ‘massive attack,’ of a ‘very high’ severity, urging all systems administrators to take immediate action to mitigate vulnerability.
 
Additionally, reports are incoming from the UK where NHS sites have been targeted, forcing hospitals to divert patients³. Ward recommend that all our customers take immediate action to mitigate against the threat of the Wannacry ransomware.
What is Ransomware all about?
 
Ransomware is any program that either encrypts the affected user’s files or locks their device, leaving it in an unusable state, with the intention of demanding payment for the release or decryption of their files. The malware is spread most commonly via malicious links or attachments in spam emails or increasingly by infected 3^rd party sites. In the past, strains of ransomware have included crypto-ransomware such as Cryptowall and Teslacrypt, which directly encrypts user files and folders ; and also Locker-ransomware, which saw a rise throughout 2016. Locker-ransomware, including variants such as Locky, and CryptoLocker, are typically transmitted through maliciously crafted Microsoft Office attachments.
 
Why You Should be Concerned?
 
The recent news reports coming out of Spain demonstrate that this variant of Ransomware is unlike any encountered before in that the virus is spreading by exploiting a Microsoft vulnerability. This particular strain is called Wannacry, and it spreads by using a samba vulnerability in Microsoft to infect shared drives within a networked organisation.
 
The Samba vulnerability is known to Microsoft, having been disclosed on March 14^th, 2017, and affects most Windows version including the below;
 

• Microsoft Windows Vista SP2
• Windows Server 2008 R2 SP1 and SP2
• Windows 7
• Windows 8.1
• Windows RT 8.1
• Windows Server 2012 R2 and
• Windows 10
• Windows Server 2016

 
Ward recommend that systems administrators immediately take action to patch against this Microsoft vulnerability, thereby mitigating against the Wannacry ransomware virus.
 
Further details on this patch can be found on the Microsoft support site here: https://support.microsoft.com/en-sg/help/4013389/title
 
If you are using McAfee ePO we additionally recommend you create a custom access rule in AV to block *.wcry and *.wncry.
 
If you would like additional information or would like support in implementing preventative measures in your environment, please call us at +353 1 642 0100 or +44 (0) 28 9073 0188 e-mail us at support@ward.ie or sales@ward.ie, as appropriate.
 
Further Reading:
¹ http://uk.reuters.com/article/us-spain-cyber-idUKKBN1881TJ
²  https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4464-ataque-masivo-de-ransomware-que-afecta-a-un-elevado-numero-de-organizaciones-espanolas.html
³ https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack?CMP=fb_gu