WannaCry and the Reality Of Patching!

Trend Micro Inc. detected and monitored WannaCry since its emergence in the wild in April, 2017, and has been protecting users and enterprises with theransomware protection features of machine learning-infused Trend Micro XGen security.

The initial variant (RANSOM_WCRY.C) was typically distributed via phishing attacks that then had users downloading the malware from Dropbox. The WannaCry ransomware variant of 12-May-2017 has been engineered to take advantage of the most common security challenges facing large organizations today.

Starting with a basic phish, this variant uses a recent vulnerability (CVE-2017-0144/MS17-010) allowing the ransomware to spread like a worm throughout unprotected networks.

WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit.

The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic. WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems.

The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.

Sharda Tickoo, Technical head at Trend Micro, India, said: "Primarily, the regions that have been attacked by the ransomware ‘WannaCry’ include UK, Europe and the APAC region, which include India as well. The data is still being gathered. It’s more of panic situation been built-up. No specific sectors have been targeted and neither is there an intent to target any specific sector, it’s across government, IT/ITES, healthcare, etc.

"We have seen customers calling us just to see if the controls are in place. There have been some cases reported, but the number is not significant. Our support lines are jammed, and the team has been working overtime through the weekend. There have been customers who have acknowledged being hit by significant ransomware attacks, and our products at the email gateway solution – advance email security has been able to do a great job of containing it.

"Customers are under attack, but our customers are protected. We have a free online tool for those who aren’t our customer, which can co-exist with their security in place. A customer hotline has been setup, and webinars/workshops have been setup as well.

“There has already been another variant of the ransomware out yesterday, which does not have a ‘Kill Switch’, making it difficult to contain. The threat actors have upped their ante to ensure the coverage is widespread. As we speak, it has already started infecting countries in UK and Europe, and has not yet spread to India. What is needed is that organizations have a basic hygiene in place, as the modus operandi of these attacks is through phishing emails."

The WannaCry campaign used a vulnerability that was publicly known for 59 days. Unfortunately, we’ll continue to see this vulnerability exploited for weeks—if not months—to come. What makes WannaCry’s impact pervasive is its capability to propagate.

Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk.

Trend Micro offers a free assessment tool that can detect the WannaCry ransomware. This tool uses machine learning and other techniques similar to those seen in OfficeScan XG to highlight the protection provided by advanced endpoint security tools.

In addition to strong endpoint protection, Trend Micro also recommends strong email security solutions to help prevent the initial infection and a strong backup strategy to help recover from successful ransomware attacks.

Trend Micro recommends that all compromised machines are immediately isolated and relevant backups are protected from further changes. Since this attack appears to exploit a known Microsoft vulnerability - customers should consider disabling SMB in their environments if possible - either via GPO or using instructions provided by Microsoft.

In addition, they recommend patching with MS17-010 or using Trend Micro virtual patching as this is what is being used to propagate to other machines.

Trend Micro customers using the latest versions of OfficeScan and Worry-Free Business Security should ensure that they have both Predictive Machine Learning (OfficeScan XG, Worry-Free Services) and all relevant Ransomware protection features enabled in their product.

The following article contains information on optimal configurations to help protect against ransomware: https://success.trendmicro.com/solution/1112223.

Trend Micro Deep Discovery Inspector customers with the latest rules also have an additional layer of protection against the vulnerabilities associated with the exploit.

WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.

Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:

* The ransomware exploits a vulnerability in SMB server. Patching is critical for defending against attacks that exploit security flaws. A patch for this issue is available for Windows systems, including those no longer supported by Microsoft. When organizations can’t patch directly, using a virtual patch can help mitigate the threat.

* Deploying firewalls and detection and intrusion prevention systems can help reduce the spread of this threat. A security system that can proactively monitor attacks in the network also helps stops these threats.

* Aside from using an exploit to spread, WannaCry reportedly also uses spam as entry point. Identifying red flags on socially engineered spam emails that contain system exploits helps. IT and system administrators should deploy security mechanisms that can protect endpoints from email-based malware.

* WannaCry drops several malicious components in the system to conduct its encryption routine. Application control based on a whitelist can prevent unwanted and unknown applications from executing. Behavior monitoring can block unusual modifications to the system. Ransomware uses a number of techniques to infect a system; defenders should do the same to protect their systems.

* WannaCry encrypts files stored on local systems and network shares. Implementing data categorization helps mitigate any damage incurred from a breach or attack by protecting critical data in case they are exposed.

* Network segmentation can also help prevent the spread of this threat internally. Good network design can help contain the spread of this infection and reduce its impact on organizations.

* Disable the SMB protocol on systems that do not require it. Running unneeded services gives more ways for an attacker to find an exploitable vulnerability.

Also Read

Stay in the know with our newsletter