If you are an IT professional, this is the post for you! We have facts about WannaCry and recommended action items, explained in detail. If you are a non-IT professional and are responsible for other functions in your organization, please click here to read the blog post written for you!
On Friday, May 12, 2017, a ransomware variant, entitled “WannaCry”, infiltrated several UK-basedNational Health Service locations. Since then, it has spread across 200 countries and infected more than 200,000 endpoints.
WannaCry is a ransomware variant that leverages a known Microsoft SMB vulnerability – EternalBlue – and targets unpatched Windows operating systems (Windows XP, 8, Vista, 7, 2012, 10, and Server 2003). Infected users experience file encryption in exchange for a $300 bitcoin ransom. The malware has been documented propagating laterally, rapidly infecting affiliated endpoints. Microsoft has since released a patch to fix legacy operating systems (Windows XP and onward).
A short-term “kill-switch” was identified that prevented the infection of additional systems. Since then, new variants of the malware, which lack the kill-switch, have been reported. As of May 15, 2017, the threat is still prevalent and at large.
It is important to note that you are still vulnerable if you are running supported versions of Windows. Just because a patch is available does not mean you are secure. Ensure your systems are patched and up to date.
Eliminate all WannaCry Misconceptions
Important information is getting lost amongst the online clutter. We have collected facts about WannaCry so that you can take the time to review and eliminate all WannaCry misconceptions.
- The most common WannaCry variant uses IPC$ shares and SMB resources to propagate.
- WannaCry leverages and exploits EternalBlue – the vulnerability drops an executable onto the targeted system and conducts a beacon check for the kill-switch domain. If it doesn’t receive a response, then the malware executes the ransomware routines.
- WannaCry installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder.
- On the LAN, it scans for all enumerated addresses within its LAN with an open port 445 & 139 (i.e. the SMB port).
- On the internet, it scans for random IP addresses to see if it has an open port 445. If it finds one with an open port, it scans all devices in the same /24 IP range (i.e. IP addresses that share the first three octets) as the found address.
- WannaCry kills SQL Server, Exchange, MySQL and installs TOR on the endpoint.
- When the ransom demand-time elapses, the malware writes up to 1GB of free space on host-disk and then deletes the file.
- A variant of WannaCry has been previously documented before this instance.
Immediate actions to take – If you have not been infected
Patch or Inoculate OS
Determine your exposure and the potential risk implications – identify and document outdated windows operating systems. Update all legacy software with the recent Microsoft patch. Update supported software with Microsoft’s March 2017 patch.
Back Up Your Data
- Make the time to back up all critical data to the cloud and/or to an external hard drive.
- Create an image of your current operating system to prevent future data loss.
Disable Unused Ports
- Assess your organizational exposure for all internet-facing devices. Maintain a dynamic and frequently updated listing of active ports.
- Close all unnecessary ports and adopt the principle of least privilege. Disable legacy protocol such as SMBv1.
- Send internal alerts to educate employees on the WannaCry threat campaign.
- Deliver security training sessions on threat mitigation tactics; foster a culture of organizational situational awareness.
- Send external alerts to clientele; proactively address any efforts undertaken to combat the threat.
- Schedule cadence meetings with your managed service providers and third-party vendors to discuss WannaCry.
- Share this intelligence and actively collaborate with external stakeholders to manage any potential risk.
- Review your threat intelligence program and ensure that they are being consumed and actioned. Timely intelligence can give you a crucial head start against threat factors.
- Install EPP vendor updates. Ensure endpoint protection solutions incorporate the most recent indicators of compromise and updated signature lists. Adopt machine learning and heuristic-based analysis to monitor threats in real-time.
- Organizations should block all connections to TOR nodes.
- Block relevant indicators of compromise. Reference the appendix for a comprehensive list of IOCs.
- Formalize incident response procedures. Create detailed runbooks that actively address all mitigation and operational procedures in the event that an endpoint is infected. Actively distribute runbooks and collaborate internally so that all security members are aware of the required steps and procedures.
Immediate actions – If you have been infected
- Shut down and disconnect any infected systems as part of your overall risk mitigation strategy.
- Isolate the infected host if available.
- Do not attempt to clean the system or run any AV or malware scans. These processes are done later.
- Assess your organizational exposure for all internet-facing devices. Determine why open ports are open. Maintain a dynamic and frequently updated listing of active ports.
- Close all unnecessary ports (disable SMBv1) and adopt the principle of least privilege.
Analyze the Scope
- Determine exactly how much of your network has been infected and how many files have been compromised.
- Identify any connected devices that had access to the infected device. Create an inventory of infected devices so you know what must be restored from backup.
- For each connected device, check for signs of infection, e.g. perform a file scan for encryption, file rename spikes, or other signs of ransomware.
- Report your experience: organizations that have fallen victim to a ransomware attack are encouraged to work with their local law enforcement office.
- Send internal alerts to educate employees on the WannaCry threat campaign.
- If client-facing operations have been impacted, work with your legal or field department to communicate to your customers. Proactively address any efforts undertaken to combat the threat.
Locate Backups and Restore Data
- Google Drive, Dropbox, OneDrive – have you shared the data with someone else using a cloud-based storage service? Even if the data is encrypted, these services will often allow you to revert your files to a previous state.
- Removable media – did you put the files onto a USB, external hard drive, DVD, or some other removable media to transfer the data? If you find you have copies on removable media, you can manually verify the files by restoring them to a separate computer. It is essential to verify the files if using physical media, as these can tend to deteriorate.
Don’t Pay. Talk to an Expert First!
- After evaluating all possible outcomes – if you become infected, payment should NOT be your first action. Talk to an expert first to examine and explore possible options.
Bottom-line: Do NOT Pay unless it is absolutely critical!
A cost-benefit analysis can easily tell you what you should do when it comes to ransomware. We live in the real world and often we work for companies looking to maximize their profits. It is practical for them to perform a risk-based cost benefit analysis to determine whether to pay or not. To pay or not should be a business decision based on which option is most cost effective.
Consider these variables:
- What is the potential harm caused from losing that data or system? Is the data or system critical in nature? What is the potential impact to the information system, the business process, or the organization? Are there adequate backups and a recovery process to minimize operational interruptions?
- What is the relative cost associated with paying? Most ransom demands are meant to be reasonable to incite you to pay.
- What is the probability that your data will be decrypted? An “unethical” extortionist could receive payment and choose not to decrypt your data.
- What is the probability that once you pay, you may be extorted in the future? An attacker could leave malware on your systems in the form of a backdoor, which they could use to compromise you for additional ransom. An attacker could also spread the knowledge that you are willing to pay, inciting other cybercriminals to attack you.
These considerations result in the conclusion: Paying the ransom should NOT be your first action!
For most cases, paying the ransom does not make sense. It is the unequivocal recommendation from authorities and ProServeIT that you do not pay unless absolutely necessary. If you have no backup and will likely to go out of business, then payment makes sense. However, in most cases, an expert can examine and explore possible options with you to avoid payment. Talk to an expert first.
7 Best practices moving forward
- Patching ≠ Security – Just because a patch is available does not mean it has been deployed.
Many organizations run a few patching cycles behind. Conduct an inventory of current operating systems and immediately patch vulnerable endpoints. Stay up to date with your patching efforts, and ensure other vulnerability management practices (e.g. hardening, virtual patching, system isolation) are in place where appropriate.
- Leverage Threat Intelligence – Take a proactive approach to vulnerability identification.
Leverage third-party open-source vendor websites and mailing lists to actively search for new indicators of compromise and CVEs. Schedule regular scans and prioritize your patching efforts.
- Backup Your Data – Get in the habit of periodically backing up all sensitive data.
Whether through cloud-based solutions or via external hard drives, sensitive data must be frequently backed up and stored in a secure manner.
- Drive Adoption – Use this incident as leverage to increase awareness.
The WannaCry incident can be leveraged not only to create organizational situational awareness around security initiatives, but also to drive adoption of foundational security measures such as patch management, threat intelligence, and zero-day mitigation policies, procedures, and solutions.
- Assess Port Security – Consider disabling unused legacy protocol
Assess port security and exposure of internet-facing services related to affected RDP and SMB services. Standard ports include 139 and 445. Consider disabling unused legacy protocol such as SMBv1.
- Plan For The Worst – Formalize incident response procedures.
Create detailed runbooks that actively address all mitigation and operational procedures in the event that an endpoint is infected. Actively distribute runbooks and collaborate internally so that all security members are aware of the required steps and procedures.
- Block Indicators – Information alone is not actionable.
A successful security program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act on gathered intelligence.
Maintain a holistic security program
WannaCry is a good reminder that security threats are often unknown and unpredictable. The only way to maintain effective defense is through a comprehensive and flexible security program.
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential.
Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
Analyze: Raw data without interpretation cannot improve security, and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but provides visibility into your threat landscape.
Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.
Let us help you!
Being proactive to have a holistic security program in place is becoming more and more critical to stay productive. ProServeIT has worked with numerous organizations in all sizes and industries. Whether you need backup solutions, a disaster recovery solution, or a consultation to learn more about ways to protect your organization, we are here to help. Whatever your needs are, we will work with you and provide you with the customized guidance to help protect your organization from ransomware attacks!
Want more information about how we can help you before chatting with us? One of the recommendations we suggest to our customers is to leverage tools such as Advanced Threat Protection (ATP) to protect from suspicious emails and pop-ups. Click the image below to download a one-pager with details.