Internetwork Engineering Blog

What You Need to Know about WannaCry Ransomware

Written by Internetwork Engineering | May 19, 2017

The Internetwork Engineering (IE) Security Team, along with IE security partners, has been tracking and researching the massive ransomware outbreak now known as WannaCryptor 2.0, or WannaCry, since its discovery on May 12, 2017 by an independent security researcher. According to Multiple Open Source Intel (OSINT) reports, the ransomware campaign has affected tens of thousands of systems in as many as 99 countries, including: the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan, as it can run in as many as 27 different languages. Here's what you need to know about WannaCry ransomware and what you can do about it.

 

How It Works

The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, demands $300 worth of Bitcoin within the first three days, and $600 for the four days following. Once WannaCry has created a small number of new files, the payload searches for an active domain of hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the domain is not present, it proceeds to propagate itself among the subnet of the victim machine via TCP 445. The .exe files then proceed to encrypt any directories it can find using 2048-bit RSA encryption.

 

Indicators of Compromise

Two of the most obvious indicators are that WanaCryptor 2.0 will change the affected file’s extensions to .WNCRY. Also, attempts will be made by the victim machine to reach out across its network via TCP ports 445, 139, and 3389. 

*A comprehensive list of Indicators of Compromise (IoCs) has been published by US-CERT and Infragard, links provided below.

  

Threat Prevention and Mitigation

Our partners at Cisco’s Talos Intelligence group make two primary recommendations for mitigating the risk of infection:

  1. Ensure all Windows-based systems are fully patched. At a minimum ensure Microsoft bulleting MS17-010 has been applied.
  2. In accordance with known best practices, any organization who was SMB publicly accessible via the internet (ports 139, 445) should immediately block inbound traffic.

In addition, the IE Security Team makes the following recommendations:

  1. Ensure you’re running an actively supported operating system that receives security updates. If your organization is running any unsupported operating systems, such as Windows XP and earlier, every effort should be made to minimize that risk by removing those machines from your network.
  1. Implement an effective patch management process and solution that deploys security updates to endpoints and other critical parts of your network.
  1. Ensure you’re running an effective anti-malware solution, such as Cisco AMP for Endpoints or CrowdStrike Falcon, and solutions receive malware signature updates.
  2. Ensure regular backups of all business critical and system data is backed up and that backups are regularly tested.

Recommendations from United States Government

The U.S. Government recommends that users and administrators take the following preventive measures to protect their computer networks from falling victim to a ransomware infection:

  1. Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  1. Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent email spoofing.
  1. Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  1. Configure firewalls to block access to known malicious IP addresses.
  1. Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
  1. Set anti-virus and anti-malware programs to conduct regular scans automatically.
  1. Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
  1. Configure access controls—including file, directory, and network share permissions—with least privilege in mind. If a user only needs to read specific files, the user should not have write access to those files, directories, or shares.
  1. Disable macro scripts from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.
  1. Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
  1. Consider disabling Remote Desktop protocol (RDP) if it is not being used.
  1. Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
  1. Execute operating system environments or specific programs in a virtualized environment.
  1. Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.

  

Business Continuity Considerations

Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware recovery and response; if you are infected, a backup may be the best way to recover your critical data.

 

  1. Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.
  1. Conduct a quarterly security assessments and annual penetration test.
  1. Secure your backups. Ensure backups are not connected permanently to the computers and networks they are backing up. Examples: Securing backups in the cloud or physically storing backups offline.

           

If you think your organization could be affected by WannaCry ransomware, or simply have questions about the potential risks and impacts, contact our Security Team. We’re available to meet with your personnel to assess your current security posture, offer onsite Security Awareness training, and provide a detailed plan and road map to reduce your risk and maintain business continuity. For more information on our all our security offerings, visit our Security page.

 

 

 

 Resources:

https://www.us-cert.gov/ncas/alerts/TA17-132A
http://blog.talosintelligence.com/2017/05/wannacry.html
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
https://support.microsoft.com/en-us/help/4013389/title
https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today
http://bgr.com/2017/05/13/ransomware-wannacry-cyber-attack-kill-switch/
https://blog.varonis.com/massive-ransomware-outbreak-what-you-need-to-know/