Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
  • WannaCry – Where we are right now

    By Vincent Naughton on May 24, 2017

    On Friday, 12 May 2017, a large cyber-attack using WannaCry ransomware was launched, infecting more than 200,000 computers in over 150 countries. In this blog, we outline what the attack was and what organisations should be doing to protect and defend themselves from this attack and similar attacks that may occur in the future.

    • Insights

      On Friday, 12 May 2017, a large cyber-attack using WannaCry ransomware was launched, infecting more than 200,000 computers in over 150 countries. In this blog, we outline what the attack was and what organisations should be doing to protect and defend themselves from this attack and similar attacks that may occur in the future.

      So what is WannaCry and why all the Hype ?

      The first thing to understand is that WannaCry is a ransomware attack, and in that regard is very similar to ransomware attacks that we see and deal with on a daily basis.  Malicious code runs on an end system encrypting files and then demanding a ransom, typically in Bitcoins. The strong encryption (RSA-2048) used by WannaCry ensures that it next to impossible to decode by other means, although there are some tools such as WannaKiwi which can work in some circumstances. This leaves users with the option to either pay the ransom in the hope that they will get their data back, or wipe their machine and restore from a backup that they should have.

      What makes WannaCry different from most ransomware is that in addition to infecting a local machine and its attached drives, it can also infect other machines that it can connect to using known vulnerabilities. In finding its way to new endpoints and networks, WannaCry scans for hosts with port 445 open (port 445 is the port over which  the Server Message Block (SMB) network communications protocol takes place), and then leverages two known SMB exploitation modes to compromise these hosts and infect them with the ransomware malware and the cycle continues.

      So how could have this have been stopped.

      There are two aspects to answering this, first how could the initial infection have been stopped, and secondly how could the ransomware worm have been stopped from replicating through networks.

      Looking first at how the ransomware could have been stopped spreading through a network, this is relatively straightforward. The vulnerability MS17-10 has been known and patches have been available for most of the Microsoft systems affected since April 2017. Identifying, testing and patching vulnerable hosts is a simple matter, and would have been the first line of defence for this attack.
      Using tools such as IBM QRadar Vulnerability Manager (QVM), or Qualys you can very quickly identify hosts that are vulnerable and then use a tool such as IBM BigFix to rapidly deploy patches.

      Any organisation that had its patching regime up to date would have been able to stop an infected host infecting the rest of the network. At the time of writing it appears as if the only initial vector for WannaCry has been an infection based in the SMB vulnerabilities, and so for organisations that were properly patched the most likely would have stopped the initial infection.

      In addition, network segmentation and restricting the allowed communication flows between zones to prevent the spread of worms within the organisation and between organisations/partners would have prevented the spread of the malware.
      Finally, at the network level, IPS and firewalls such as Fortinet’s Fortigate and IBM’s XGS have had signatures in place to detect and block command and control communication traffic. These signatures would have been in place since April. If you allow external access SMB to internal hosts (ports 139 and 445), these should be blocked using perimeter security devices as well.

      I haven’t had an outbreak should I do anything now?

      Even if you haven’t had an outbreak there are a number of things you should be doing right now:
      First ensure that all your systems are patched using solutions such as IBM BigFix, and for those legacy system that for some reason you cannot patch either isolate them from the network, or use application whitelisting using solutions such as those from McAfee and Carbon Black, which ensure that the end systems can only run and execute programs known and permitted by your security policy.

      In addition to patching the endpoint, organisations should consider disabling SMBv1, and SMBv2 on endpoints only permitting SMBv3, and should search their networks using tools such as BigFix Query to determine if there are any infected endpoints on their network that need to be remediated.

      You should ensure that your anti-virus product has the latest signatures and IOCs.

      Lastly review and re-educate your workforce through security awareness programs.

      Ward Solutions Managed Security Services:
      As you can see protecting, defending, detecting and responding to cyber-attacks such as the WannaCry ransomware requires an organisation to have capability and cyber security skillsets across a range of endpoint, server, application, and network infrastructures.
      At Ward Solutions, we have developed a set of interconnected security consulting and managed services to help organisations to help organisations tackle these complex demands.

      Delivered from our Security Operations Centre (SOC), we provide:

      • Ransomware Protection Services. A set of interconnected services, specifically aimed at ransomware.
      • Vulnerability Management Services (QRadar/Qualys), which assess the level of risk by exposing vulnerabilities in an organisation.
      • Information Protection solutions such as managed firewall, IPS, endpoint and patch management to protect an organisation from the latest cyber threats (Fortinet, IBM, McAfee).
      • Security Analytics (SIEM) to detect whats happening across a complete organisation, covering endpoints, servers, mobile devices, applications, databases, networks and users.
      • Embedded threat intelligence, which enrich all our services with the latest indicators of compromise and indicators of attack.
      • Incident Management services which orchestrate and manage response to security incidents.

      Ransomware Defence – what to have in place in case of other ransomware attacks?
      As we said at the start, ransomware is something that we encounter on a daily basis, so what are the main steps you should be taking to protect against future attacks (note that these are addressed in more detail through our Ransomware Protection Services:

      1. Implement security awareness and training programs so that everyone in your organisation is aware of the threat of ransomware and how it’s delivered to endpoints.
      2. Perform regular backups, as in the event of a successful attack these may be your only option for service recovery.
      3. Configure perimeter security devices such as Next Generation Firewalls and IPS to block known malicious IP addresses.
      4. Implement a centralised vulnerability and patch management solution.
      5. Implement mail gateway solutions with SPAM filtering to filter phishing emails and detect and filter executable files from reaching end users.
      6. Implement next generation antivirus solutions, which not only protect, but can also detect and respond to security threats.
      7. Implement a holistic and centralised security operations and management approach through a Security Operations Centre (SOC).
      8. Have a documented and tested Incident Response capability.

      Ward Solutions is Ireland’s leading information security provider. Contact sales@ward.ie / sales@wardinfosec.co.uk or call +353 1 6420100/ +44 28 90 730 187 to discover our range of information security solutions and discuss your unique requirements.

    • Latest Blogs