Ransomware WannaCry

On May 12th 2017, thousands of computers across the globe were attacked by a new ransomware variant known as “WannaCryptor” (WannaCry).

How is it delivered

 This attack is delivered mostly via email. These messages are typically fake invoices, job offers and other lures which are sent to random email addresses. Within the email is a .zip file and once clicked, that initiates the WannaCry infection.



What vulnerabilities does this attack exploit?

 The attack, using a weapons-grade exploit identified during the NSA leaks, is spread on the internal networks using a known vulnerability (P2P exploitation of SMB (Server Message Block) known as EternalBlue ) within the Microsoft operating system. To Microsoft’s credit, a patch https://technet.microsoft.com/en-us/library/security/ms17-010.aspx was released back in March after it was identified in the NSA leaks which occurred several weeks prior to that.

 The attack files are dropped by a worm which leverages SMB, a network file sharing protocol. Other aspects of the malware leverages file-less exploitation techniques, and the malware is morphing rapidly in the wild with over a dozen variants seen thus far.

How can you protect yourself

 These new ransomware variants clearly show the critical importance of several fundamental security best practices that we’ve always stressed on. The implementation of any of these solutions could have reduced the impact to most companies;


Patch Management: The vulnerabilities exploited by this ransomware have had patches available for over two weeks, and yet many systems on the internet (and many more in local networks) remain vulnerable. Keep ALL your systems (not just servers) up to date with the latest patches. Your operating systems and browsers will take care of themselves (although you need to monitor them and ensure the patching is working correctly), but many third-party applications will not – this is where a Patch Management solution is very important.

For those business critical systems that can’t be patched, strategies such as Network Segmentation, Ingress & Egress Filtering as well as Early Detection & Response solutions should be implemented  to protect those systems. Healthcare and Industrial Controls Systems are most vulnerable to these attacks as they typically run legacy applications that can’t be patched for several reasons.

Signature-Only Anti-Malware solution ISN’T enough. These exploits are weapon-grade which means they will automatically try to evade any/all protection mechanisms.  This is where next-generation anti-malware technologies such as machine learning, threat emulation, sandboxing etc., come into play. These solutions also require Early Detection and Response Capabilities in order to effectively combat these sorts of attacks. The combination of the aforementioned features is the best approach to mitigating these attacks across the enterprise.

A sound endpoint security strategy coupled with an effective perimeter security approach is SUPER important. As this attack proved, every company (LARGE or SMALL) needs;

An effective email security strategy as part of a sound perimeter security posture (not just a solution or product). Email is still the number one delivery vector for these attacks. The quality/effectiveness of the solution is important but not as much as the overall email security strategy.

A endpoint security strategy that leverages the machine learning technology in addition to the signature based approach. There are endpoint security solutions, there are early detection & response solution and they are hybrids of both. Again, the overall endpoint security strategy is way more important than just the product itself.

Finally and I hate to say it; A Proper Gap Analysis/Risk Assessment needs to performed on a regular basis. These assessments aren’t recommended so you can just check off a box. They are designed to identify gaps and associated risks with the infrastructure before someone else does.

On a final note, as we all say in Security “it’s not a matter of if you’ll get breached, it’s a question of when you get breached”. When that happens, will you be ready to respond? If you need help with any of these approaches or with your security strategy in general, please let us know and we’ll be more than happy to assist.

Source : online resources