What We Know So Far
A major ransomware attack broke on Friday May 12th, affecting many organisations the world over, reportedly including major telcos, NHS systems and transportation providers. The attack has spread to some 150 countries around the world. This is the first ransomware worm to ever be seen in the wild. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.
WannaCry gets installed through a vulnerability in the Microsoft SMB protocol, not phishing or malvertising. SMB is a network protocol used to share files between computers. The reason WannaCry is so catastrophic is that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement. The malware is particularly effective in environments with Windows XP machines, as it can scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.
The best prevention to from being infected (other than going back to pen and paper!) is to apply the MS17-010 patch from Microsoft, this has been out since mid-March this year, but Microsoft didn’t originally release and update for XP as it’s End of Life, hence all the issues in the NHS as they still run a lot of XP.
Microsoft has now released an emergency patch for Windows XP and other End of Life Operating Systems. While this has protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally.
How Forfusion Protects its Customers
A defense-in-depth strategy is always the best approach to information security.
Remember, this is a vulnerability of Microsoft Windows and as such the following best practices are recommended to combat attacks based on Microsoft SMB:
- Ensure that devices running Windows are fully patched. In particular, apply the following: Microsoft Security Bulletin MS17-010
- Strongly consider blocking legacy protocols like SMBv1 inside the network. Additionally, consider blocking all SMB connections (TCP ports 139, 445) from externally accessible hosts
To be clear, if the vulnerabilities aren’t patched, an organisation will continue to be at risk for infection by this ransomware. However, the following Cisco Security products can limit the installation, spread, and execution of WannaCry:
- Cisco Network Security (NGFW, NGIPS, Meraki MX) products have had up-to-date rules (since the vulnerability was known in mid-April) to detect and block this malicious activity on SMB connections.
- Cisco Malware Protection technology (AMP on endpoints, network, and email/web gateways) have up-to-date information on this ransomware and in fact quickly detected and prevented the execution of this ransomware.
- Cisco Cloud Security (Umbrella) can block connections from malware to command-and-control servers on the internet which results in improper execution of the malware. In this situation, this block automatically triggered a “kill switch” in the malware.
There is likely to be variants of WannaCry in the coming days and weeks. While the current variant will be added to anti-virus signatures, the new variants have the best chance of being detected by the modern behavioural techniques in Cisco AMP.
Forfusion is offering organisations a FREE Threat Scan Report, which can provide a comprehensive analysis and plan for protecting against ransomware. To apply, visit www.forfusion.com/security or email firstname.lastname@example.org