Author: Ravi Devireddy, Founder & CTO
It’s been a rough few weeks for both victims of the latest slough of ransomware attacks, as well as for its creators. Wanna (also referred to as WannaCry, WCry, WannaCrypt) ransomware has affected over 200,000 systems in 90 countries since March 12, 2017. This variant of ransomware uses the EternalBlue (MS-17010) vulnerability, released by the Shadow Brokers about a month back, to spread over networks via Windows SMB (Server Message Block) file sharing protocol after infecting the initial host.
How Does It Work?
Wanna uses a password-protected ZIP archive file that contains additional resource files. A process named “winsecsvc[.]exe” is installed and run, and it calls back to a domain, www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, which is sinkholed — it returns a false name to the requesting device — by an unknown entity.
If the victimized machine makes a successful connection to this domain, the process will not perform the SMB exploitation. However, if the domain is not reached, the process “taskche[.]exe” is launched to initialize the service, and will carry out file encryption and exploit SMB file shares to spread laterally. The domain has since been registered, and a web server has been set up by a security researcher which has significantly reduced the impact of WannaCry.
Microsoft released a security update for the MS17-010/EternalBlue vulnerability on March 14, 2017 for Windows Vista, Windows Server 2008, and later versions of Windows. And this past Friday, May 12, Microsoft released a patch for older versions of Windows — going back to Windows XP and Windows Server 2003 — in response to the sudden rapid spread of WannaCry.
Patches Here! Get Your Patches Here!
Ransomware attacks on personal computers targeting individuals has been on the rise lately, but due to isolated incidents, the scale often goes unnoticed by the public. However, with WannaCry, the risk and potential damage to enterprises has brought it to the forefront. In this particular case, although Microsoft has had a patch available since March, many enterprises are unfortunately not up to date with vulnerability patches in their environments.
Enterprises with thousands, or tens of thousands, of endpoints in their environments are often not up to date with all of the latest security and software patches. Testing and rolling out new patches is often disruptive to business operations. IT teams need to thoroughly test software patches for compatibility issues with other software and/or applications running on these hosts to avoid disrupting business operations with incompatible software. However, these situations cause IT teams to fall behind on software patching — a common scenario in many enterprises.
It is, however, unfair to point fingers at IT teams for not keeping software patches up to date. Security bugs are part and parcel of modern enterprise IT infrastructure, and balancing the need for security with the need to keep the business running is often fraught with negotiations, priorities, and downright dangerous acts for public services that depend on functioning IT infrastructure, as we have seen with UK National Health Service over the last couple of days.
It Doesn’t Have to be This Way
As bleak as this situation may sound, there are strategies that security teams can and must implement to address such security concerns. Early detection of suspicious activity in the organization is paramount in effectively mitigating the extent and damage done by outbreaks of security infections such as ransomware, targeted persistent attacks, and data theft. Early insight into traffic patterns that indicate communications to suspicious domains, lateral movement, and suspicious processes or process executions on the endpoints are evidence of unusual activity in the organization and can point to an attack in progress.
So, What Should You Look For?
Suspicious Processes Running on Endpoints
Malicious software can be delivered through many attack vectors, including phishing in electronic communications or watering holes on websites. Tailor-made malware that is targeted explicitly at your organization can also exploit zero-day vulnerabilities that can’t be detected with traditional signature-based security solutions. While the majority of such deliveries are prevented by security tools at the perimeter, and by staff educated on security hygiene, there are a few that will get through your defenses sooner or later.
Identifying suspicious processes and process executions can help you gain early insight into compromised hosts, so you can quell the outbreak before it becomes costly.
- Rare and never-before-seen processes (names, MD5s, locations of the process)
- Infrequently used or newly-observed programs added to hosts
- Auto-run configuration, listening or running programs on rarely used or new ports
Behavioral analytics can identify known or unknown processes running on endpoints without the use of signatures or sandboxing techniques. Additionally, this type of platform can link together individual actions that appear to be legitimate, when investigated individually, but are actually connected in a targeted campaign inside your organization.
For instance, behavioral analytics can:
- Capture endpoint system information, such as process, open-port, and auto-run programs, as well as on-demand browser helpers that use a third-party agents or endpoint detection and response (EDR) tools
- Collect artifacts (such as indicators of compromise), which can be used in searches on other systems
- Collect statistical data on encrypted traffic without having to run payload capture
- Analyze data across broad windows of time to detect low-and-slow attacks across large numbers of endpoints
As seen in WannaCry, attackers commonly use command-and-control (C2) servers to remotely control malware that has been installed on an endpoint. Once installed, either through a spear phishing attack or drive-by download, an attacker has control of the device and can make their way through a network, exfiltrate data, and successfully execute a security breach, such as encrypting all files for ransom.
Some indicators of command and control (C2) activity to look for:
- Data sent over the Internet as a beacon at a regular interval
- Receipt of traffic over a long period of time
- Non-browser activities on the Internet
- Newly visited websites or domain names
Visits to a website that doesn’t have significant infrastructure, such as a high number of pages. This was the case with WannaCry, where the domain www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com was sinkholed.
A behavioral analytics platform can link together actions that, individually, appear to be legitimate, but are actually command-and-control communications that can’t yet be matched to known bad sites.
Detect, Hunt, and Respond
Insights such as those listed above can lead security teams to hunt for further leads into activity occurring in the enterprise. Such investigations and analysis can lead to recognizing the scope of the attack and its proliferation within the enterprise, so that IT security teams can take action to contain or quarantine the initial infected hosts, or block traffic off network from further spreading within the enterprise.
No one knows for sure whether this is the last of such an attack — and I’m willing to say it isn’t — we should expect and prepare for similar campaigns. Wouldn’t it be nice to limit the damage to a few hosts, rather than getting locked out of thousands of systems? The difference will be early detection and containment, and behavioral analytics can provide such insights so security teams can detect, hunt, and respond to attacks like WannaCry before their impact gets out of hand.