Dry Those Tears: A Primer on Preventing, Detecting and Responding to Ransomware Like WannaCry

Given the vigorous growth of ransomware in 2016, it was just a matter of time before the fallout from the threat went from one-off victims to an all-out global stampede.

While you were winding down from the work week and prepping for a weekend away from the office, the fast-spreading WannaCry ransomware worm (also known as Wana, WannaCrypt and WCry) was just getting started in what has now mushroomed into the largest cyber extortion outbreak in history. The attack has left hundreds of thousands of computers at high-profile organizations across the world, including hospitals, reeling from WannaCry, which halted critical systems and prevented access to sensitive data.

While the aftermath of WannaCry, including locked computers and ransom demands (for up to $600 in bitcoin), wasn't unique to a ransomware incident, the lead-up to infection was. Unlike most ransomware campaigns that rely on exploit kits and phishing emails to poison victims, WannaCry takes advantage of a "wormable" Microsoft Windows SMB vulnerability (nicknamed "Eternal Blue" and officially enumerated as MS17-010) to spread. In March, Microsoft fixed the issue for supported Windows versions but did not patch the flaw on older OS platforms, including the still-widely used XP, which left many organizations ripe for an ambush.

 

Luckily, the patch and an apparently inadvertent built-in " kill-switch" helped mollify the extent of the already historic attack - but experts expect updated variants that scrap the kill-switch to continue to ravage businesses.

As we've said before, because ransomware is so profitable for its perpetrators, it will continue with zeal - whether the threat is WannaCry or something else. Organizations must make prevention, detection and response a priority as part of a mature security program.

Let us help you cover your bases.

General Protection Advice

  • Perform regular backups of important data using (physically or logically) isolated media. Remember, accessible network shares can be infected as well.
  • Apply security patches on regular basis (for your operating systems and browsers and for third-party software and plug-ins like Java, Adobe Flash and Reader, and Microsoft Office).
  • Run anti-virus, with the latest signatures, in all environments.
  • Browse the web using a secure web gateway. (SWGs should work with IP/domain blacklists and additional web inspection controls).
  • Send and receive email using a secure email gateway.
  • Practice the principle of least privilege. Do not allow regular users to have administrator privileges in their systems whenever possible.
  • Enable browser pop-up blockers.
  • Disable the Windows script host whenever possible.
  • Block traffic to/from Tor and other anonymity networks.
  • Block SMB traffic in your border firewall and SMBv1 traffic in your LAN.
  • Dispense security awareness education for the entire organization.

Technology Advice for Prevention and Detection

Trustwave customers will find active protection against WannaCry and other ransomware campaigns in many of our security offerings, including:

  • Trustwave Secure Email Gateway
  • Trustwave Secure Web Gateway (by default SWG will block any Tor-based communications that the malware attempts to use)
  • Trustwave Managed Detection & Response (MDR) for Endpoints (More  information is available here from one of our partners)
  • Trustwave Anti-Virus
  • Trustwave Unified Threat Management
  • Trustwave Vulnerability Scanner

Response Advice: A Q&A with Trustwave SpiderLabs Security Consultant Lucas Donato

Hi Lucas. So far in this blog post we have listed many excellent tips to help avoid a ransomware attack, but if an infection does sneak through, what is the first step you should take?

You can start by disconnecting the affected machines from the internet and monitoring anomalous behavior in your network (not only internal but also suspicious outbound connections, like Tor protocols etc.). You can also block vulnerable protocols (like SMBv1) while attempting to apply the latest anti-virus definitions and security updates in the remaining environment. Your network segmentation controls can be your best friend here. It is important to note that every recommendation must follow an impact analysis from your team.

Ideally, though, you should rely on a managed detection and (MDR) service. It allows your company to proactively identify, respond, remediate, and hunt for these kinds of attacks. Such a service should have full access to all endpoints and use automated system correlation and behavioral anomaly analysis to identify malicious indicators, along with threat intelligence.

What if you don't know which machine is infected?

In the WannaCry scenario, you can monitor your network and web gateways looking for suspicious traffic like Tor, network requests for the ransomware's known command-and-control servers or the ransomware's kill-switch URLs. The sources for these connections are likely to be infected. In other cases, it is always good practice to monitor suspect processes in endpoints, connections to other hosts, and unusual usages of CPU/memory resources. An aforementioned MDR service can help you with this. Finally, there are some free security tools available that can help you with scanning your internal IP ranges and probing for specific vulnerabilities, like using Nmap scripting (to look for MS17-010 vulnerable hosts).

How can you stop a ransomware infection from further spreading across your environment?

In most cases, this is possible by using an intelligent security endpoint solution, interrupting ("killing") processes related with the malware and applying virtual patches. You can also help stop the spread of the infection by following the steps below:

  • Block SMB Port 445, traffic in your internet border firewall. (The vulnerability exploited in WannaCry is SMB-related).
  • Update anti-virus signatures. AV vendors offer protection for this and other ransomware variants.
  • Assure that all Windows systems have an anti-virus solution running.
  • Block SMBv1 traffic in your LAN if it is not necessary.
  • Block Tor (dark web) traffic.
  • Apply the latest security updates in your Windows systems, particularly MS17-010 to halt WannaCry.
  • Block access to the ransomware's known command-and-control (C&C) servers.
  • Disconnect or isolate affected machines when necessary and applicable. Alternatively, block connections with destination port TCP 139/445/3389 in these machines.
  • Do not block access to the malware kill-switch domains. (This is specific to WannaCry).

What should you do if you have previously backed up your data? What if you haven't?

Following your business recovery priorities and depending on your back-up strategy, a possible scenario is to guarantee that hosts are cleaned before restoring data on them. Specific to WannaCry, if you can't apply a security patch right now, you should at least guarantee the firewalls or similar devices are in place to restrict access to dangerous ports and protocols on these hosts. Sorry to say, but if you haven't backed up your data, you may not be able to recover it.

This is where things can get controversial: Should you negotiate and/or pay the attackers so you can regain access to your systems and data?

This situation needs to be viewed by both sides. If you pay, you are stimulating the growth of the cybercriminal ecosystem. Also, knowing that your paid for the ransom, there is possibility that criminals will target your organization again. On the other hand, if you don't have backups and you don't pay, there is a chance that you will lose your data.

Assuming you are a bound by a data breach notification law, are you legally required to report the ransomware attack?

We always advise you to seek legal counsel regarding breach notification obligations.

What are your obligations from a forensic and investigation standpoint?

In case you have legal obligations to report a breach, it is expected that the investigation is conducted in a forensically sound manner. This includes identifying and preserving evidence relevant to the breach. Sources of digital evidence will include network device logs, SIEM logs and direct evidence from any compromised systems. If you are not required to report a breach, this would be a decision based on business risks.

I would imagine this entire response process can go a lot smoother if you previously had practiced for such an incident through incident readiness planning?

Absolutely. Tabletop exercises on ransomware attacks and malware outbreaks are one of our favorites when working with our clients. When you have an established computer security incident response team (CSIRT) and have the right tools and incident response planning in place, you are in a much better position to repeal these threats from your environment.

Final question, this one related to patches. Many are blaming the companies that were hit with WannaCry for being slow to patch or upgrade beyond Windows XP, but because of reasons  like complexity, cost and risk of downtime, updating can be hard. How do you overcome it? 

Your security patch management program should be driven by risk, with "critical" and "high" vulnerabilities being patched in a smaller time window than those less critical. When you can't apply patches for any reason, you should work with compensating controls. In the case of WannaCry, you can work with some alternatives, such as: virtual patches, IPS signatures, network segmentation, host and network firewalls, secure filtering on the web gateway and email gateway, etc.

Additional Resources

Trustwave has previously prepared resources related to ransomware defense and response. They include:

 

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.