Wednesday, May 17, 2017

WannaCry Ransomware - Lessons Learned



WannaCry (or WannaCrypt) is a new malware that hit over 200,000 computers in over 150 bcountries late last week (May 12, 2017). This malware encrypts files on the infected machine, making them inaccessible. What make this a significant cause for concern, is that it was the first time ransom-ware had the ability to spread automatically on a computer network, to other vulnerable computers. That means an entire network could become infected, as a result of the action of a single user clicking on an email attachment.

Fortunately, a temporary solution was identified to halt the spread of the malware, by registering a specific domain that the malware was trying to connect to. However, new versions have since been released by malware authors, which ignore this domain.

For those who have infected machines, the malware requests a payment of at least $300 bitcoins, in return for a decryption key to recover their files. However there is no guarantee that this will work, or that hackers won’t retain remote access to the infected computer. Instead, it is recommended that the computer be reformatted and data restored from a recent backup.


Where it came from

WannaCry was developed using a Windows security flaw that was discovered by the USA's National Security Agency (NSA), which was later stolen and released to the public by a hacking group called Shadow Brokers. At this point it appears that a second hacking group used the leaked information to create WannaCry.

Microsoft has expressed its displeasure (reference# 4) with the release of WannaCry, as it was the result of a larger problem. Several governments around the world are suspected of holding stockpiles of security vulnerabilities, for their own use, instead of notifying the affected software vendors. If these were reported in a timely manner, the current outbreak would have been avoided.


How to Protect Yourself

The most important method of protecting yourself is to apply Microsoft patches in a timely manner. Fortunately, a patch (MS17-010) should have been automatically applied in March 2017 to currently supported versions of Windows. However, Windows XP and Windows Server 2003 which are not officially supported by Microsoft, were issued their emergency patches after the outbreak (on Saturday May 12, 2017). These emergency patches can be downloaded from the Microsoft website (see reference# 1)

Most major antivirus companies have also released emergency updates that will detect the WannaCry malware. Also several network security monitoring devices have released their own updates to detect its movement on the network. 

As a third layer of security, disable the old file share protocol called SMB v1 (see reference# 5). While this outbreak primarily targeted older versions of Windows, the legacy coding used in SMB v1 remains vulnerable to future attacks. Newer versions of the SMB protocol (version 2 and 3) are installed on newer Windows Systems, and should not cause significant disruption to your operations. Ask you experienced IT support team to identify older legacy systems that depend on SMB v1, and start planning to mitigate their risk.

The final piece of advice is to maintain good security awareness. This includes,
·     Scrutinize each email you receive, especially when it contains an attachment or a web link
·     Do not install programs, unless they are from verified and trusted vendors
·     Turn off WIFI when not in use, and avoid public WIFI if possible
·     Maintain several offline backups of your data

References
1.   https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
2.   https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/
3.   https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
4.   https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.001wk56cvrqfecz119v2dvzcw9e7m
5.   https://community.tenable.com/thread/11156


Bonus: how to detect SMB v1
  • https://redmondmag.com/articles/2017/05/16/insecure-smb-1-from-windows-networks.aspx
  • https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-dscea/
  • https://www.microsoft.com/en-us/download/details.aspx?id=44226