The Curious Case of WannaCry
It was a weekend, On Friday May 12th 2017; many organizations globally were hit by the storm of a new wannacry ransomware. The exploit was very successful in spread because it used an SMB vulnerability to spread within networks.
Traditionally, SMB had a bad reputation of being unsecure and its functionality within a network that appeals to hackers and cyber criminals as it provides an easy way to spread and maximize the damage. The vulnerability was patched by Microsoft-Dynamics in March for supported versions of Windows. The exploit, known under the name EternalBlue, was released in April as part of a leak of NSA tools.
First active indicators of WannaCry ransomware was visible by midnight IST on Friday, 12th May – starting of the weekend and the instant reaction was to understand the threat through available trusted sources and engage teams to handle the situation and based on the criticality demographics of the threat. Few initial learning’s we had:-
• Unlike any other ransomware, the propagation could have come in through and email.
• And then internally exploiting SMB to spread within the network
• The Windows OS versions are the potential targets for the infections.
• In case of an infection, the risk of losing the data and thereby impacting the service availability could have a direct impact
• The vulnerability was patched by Microsoft in March for the newer versions of Windows and the patching for legacy version of windows was unclear.
By then the understanding which was tabled regarding WannaCry ransomware is that, it co-existed from a leaked NSA exploit and spread across at least 75,000 PCs in less than 24 hours. Upon infection, files with specific extensions will be encrypted and will be prompted for ransom. The ransomware will install ‘DOUBLEPULSAR’ backdoor to access the system remotely via port 445.
It was required for a call to the various teams for a collaborated and active response and the actions to be followed were determined.
• Check and update the patching level (whilst accepting the challenge of having reboots on 24 X 7 critical machines)
• Segment the network to prevent internal spreading via port 445 and RDP.
• Block Port 445 at perimeter level to deny access
• Disable SMBv1, the focus was on the non-supported/ legacy version of windows in such a case.
While the hours progressed, A UK-based researcher known as “Malware Tech” shut the operation down, by a stroke of luck! His analysis found that the ransomware’s programmers had built it to check whether a certain rot URL led to a live web page. One of the web domains used by the attackers hadn’t been registered and the researcher registered the site to take control of the domain for a more USD 10.69. He started seeing connections from infected victims; hence his ability to track the ransomware’ s spread was very special. While doing that he also took down the WannaCry operation too. The days progressed, with patching and thereby reducing risk levels of the threat, but there are certain lessons which we all probably learnt from this storm. One of the best thing I have observed within, is a
Vulnerability Management - Every one of us does the vulnerability management and what’s probably missing is a quick periodic dip check on our patch levels.
Patch Management & Antivirus – We are regular, still there is a need for us to go beyond the regular push and look at the reports and fix the missing ones. Enforce reboots after patching. Do analyse the deleted/ quarantined threats to identify the machine/ systems who could be potential candidates for an attack.
Plan and Retire Legacy – Due to high critical business reasons, we still are forced to keep and operate the legacy systems, especially on the platforms. Looks like if we don’t do the retirements and upgrades on time, it can be more expensive and that’s what we learned from this incident.
Email Management – Normally we tend to look at the spam control and patterns once there are some noises around. Enforce regular pattern analysis and spam control for threat detection, removal and reporting.
Web Content Filtering and Firewall Management – URL restrictions are enforced and threat indicators are monitored. Also, analyse the denied traffic to identify the user/ target machines
Communication & End User Support – Enforce the communications to report the current state and readiness to the management and relevant stakeholders. Always keep end users informed about best practices and with situation awareness.
Backup / BCP / DR – Ensure that the data availability is up to the mark based on the agreed RTO/ RPO. Explore and keep the options ready for quick recovery/ availability of alternates to the business in case of any system non availability.
During such a crisis the role of IT Management becomes very crucial. Please make sure that at every stage of the lifespan, senior management and critical stakeholders to be made aware of the situation on potential threat and internal readiness to handle it. This will help in getting the right amount of support and gaining confidence within the enterprise.