WannaCry - Sifting Through The Hype

0day
Written By Andrew Alaniz

There has already been a number of blog posts and analysis of the WannaCry ransomware attack. I am not going to attempt to add any detail to that. I do find it helpful to have a consolidated list of well sourced resources.

Bottom Line

  • Rollout MS17-010 to any systems that don't have it

  • If you have unsupported operating systems and/or can't patch - figure out how to isolate those devices, remove internet access, disable SMB access

  • There is no excuse for having SMB exposed to the internet, remove that now

  • Use this as an opportunity to discuss risk with your executives

Below are some more details and good resources related to this event.

Attack Summary

This cyber-attack is a ransomware virus that once infected, spreads through a vulnerability in Microsoft Windows systems. This vulnerability was fixed by Microsoft in March 2017 with a patch for Windows. Unfortunately many operating systems no longer receive updates such as Windows XP and Windows Server 2003. However, in an unprecedented move, Microsoft has release emergency patches for these operating systems.

Why Is This So Big?

Unlike typical ransomware, which needs someone to open a phishing email or navigate to a malicious site, this virus is able to propagate to remote network computers on its own. This is, for the most part, due to unpatched systems. The virus quickly spread yesterday into many networks. Once it made it into a network, it was able to easily spread within the internal networks if there were systems without these patches.

What should we do?

The Microsoft patch that addresses these vulnerabilities is MS17-010.  Please make sure this is deployed to all machines (servers and workstations). In addition to the patches, Microsoft has released Windows defender signatures to detect this. We should also use proper awareness for any suspicious emails we receive. The patch can help prevent the spread, but it may not stop an initial infection that could occur just like any other ransomware.

MS17-010 Patch information: https://technet.microsoft.com/

Microsoft Guidance: https://blogs.technet.microsoft.com/

Additional resources

https://www.binarydefense.com/

https://gist.github.com/rain-1/

https://krebsonsecurity.com/

https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

https://www.malwaretech.com/

https://www.peerlyst.com/posts/wannacry-no-more-ransomware-worm-ioc-s-tor-c2-and-technical-analysis-siem-rules-andrii-bezverkhyi

Andrew Alaniz
Previous

The Assumed Breach Model - A Practical Approach Part 1
Next

Windows Event Forwarding/Collector Resources