What is Ransomware?
Simply put, Ransomware is a form of malicious software, created and distributed usually by cyber criminals, which when installed on a victim’s computer, encrypts files on the local machine and on any other systems it can access over the network. It then holds the victim to ransom, demanding payment in exchange for a key to decrypt the data so they can recover their files.
What is WannaCry?
WannaCry is a form of Ransomware that leverages a security vulnerability in a common part of Microsoft Windows that allows it to rapidly spread to other vulnerable computers on the same network. This 'worming' capability has given it its unprecedented success in achieving many infected systems in a short space of time, and is the cause of major impact within organisations where it has taken.
How is this threat different to usual Ransomware?
WannaCry's propagation technique means it has had far greater spread and growth within each victim environment than previous ransomware examples. This is a rapidly disruptive and harder-to-contain incident within each infected environment.
Typically, Ransomware can be neutralised by identifying the infected host and removing it from the network. However, WannaCry’s worming capability means multiple hosts can become infected necessitating the identification and removal of all affected hosts, and the remediation of the underlying Windows vulnerability being exploited.
Who has been affected and why?
WannaCry has had its greatest impacts within organisations which had not applied the MS17-010 patch from Windows, or still have a Windows XP population within its enterprise estate.
As the Windows patch that fixes the vulnerability was released in March 2017 (or in the case of Windows XP, only on the 13th May 2017) many organisations with slower patch routines or out of support Windows installations have been hit hardest.
Is what we've seen so far 'it'?
As it can often take days or weeks for organisations to mitigate vulnerabilities through patching, attackers still have a window of opportunity for further repeats of such an attack.
Therefore it is possible that other threat actors (such as authors of competing Ransomware tools) will launch attacks using the same techniques. It is also possible that new versions of WannaCry will emerge and be part of future campaigns.
The following technical remediation advice should be followed.
How to prevent / limit infections, or reduce the impact
1) Patch MS17-010
- A patch has been released for all versions of Windows, including a one-off update for XP as a special measure.
- Check your provider has released detections and apply the updates.
- Check your AV configuration, ensuring auto update is turned on for all computers on your network.
- Monitor the Anti-Virus console, looking for any detections of WannaCry to enable a fast response.
3) Boarder security and Firewall configuration
- Ensure ports 445 and 139 are not publically accessible from the internet, inbound. Also consider restricting rules that allow inbound port 139 or 445 connections from IP Whitelisted external ranges (such as partners, subsidiaries, remote offices etc.)
- Port scan your external IP range looking for anything available on these ports.
- Ensure you have current backups.
- Ensure your backups are maintained offline so that they cannot become encrypted.
- Ensure you have no connected infected machines at the time of restoring from backup.
5) Deploy indicators into your protective monitoring capabilities to enable detection and prevent infection where possible
- If you have an endpoint threat detection and response tool, such as Carbon Black, deploy IOCs for the WannaCry hashes and apply process blacklisting.
- Deploy Network signatures into your IDS / IPS. These have been made available from a variety of good sources.
6) Do not block the kill switch domain, and ensure it resolves
- As the WannaCry ransomware tool is not ‘proxy aware’, if your organisation uses a proxy for HTTP requests, create a DNS Zone on your internal DNS server to forward requests to an internal webserver. This will prevent spread of infection of the current primary WannaCry strand.
If you need help...
If you are unsure what immediate actions you need to take to ensure your organisation is protected, please get in touch as we will be able to talk you through our list of recommended actions.
We can also assist with an initial port scan of your external IP range to ensure that port 445 and 139 are not accessible from the internet. Contact your account manager who can arrange this for you or send us an email here to arrange a scan.
If you suspect a breach has happened, contact our incident response team as soon as possible.
As always, Context’s advice to prevent any sort of breach happening to your organisation is to have a robust cyber strategy, which means having a clear understanding of what your threats and assets are, and then be in a position to protect, detect and respond to attacks. Context can work with your organisation to develop or optimise your existing cyber strategies so do get in touch with our team to see how we can help.