Resolution for WannaCry ransomware

  • 0

Resolution for WannaCry ransomware

Category : Uncategorized

What has happened?

UK hospitals, Telefonica, FedEx, and other businesses were hit by a massive ransomware attack on last Friday (12-05-2017). Around 75,000 computers in 99 countries were affected by malware known as “WannaCry”, which encrypts a computer and demands a $300 ransom before unlocking it. The malware was able to spread thanks to flaws in old versions of Windows that were originally used by the NSA to hack into PCs before being made public by the Shadow Brokers group last month.

Among those infected were more than a dozen hospitals in England, a telecom in Spain, FedEx’s offices in the United Kingdom, and apparently, the Russian Interior Ministry. Within half a day, there were instances detected on six continents.

Several firms in Europe were the first to report having their mission-critical Windows systems locked, showing a ransom note. This quickly developed into one of the most widespread ransomware outbreaks currently affecting a large number of organizations around the world. Some affected organizations had to take their IT infrastructure offline, with victims in the healthcare industry experiencing delayed operations and forced to turn away patients until processes could be re-established.

Brief on WannaCry ransomware

WannaCry/Wcry ransomware is a relatively new ransomware variant which has been popped up using the file hosting service Dropbox. This comes on the heels of a Torrent Locker variant that was using abused Dropbox accounts to spread its payload.

Wcry initially spreads via an email, a malicious website, or dropped by another malware. Once the malware gains access to a user’s system, it drops its prerequisite files and components, after which it prompts the user to download files from Dropbox URLs (Dropbox has already been notified of these links, which have since been removed). These files include the TOR Browser Bundle and the executable file “!WannaDecryptor!.exe”. If the user clicks on the executable file, Wcry will display the ransom note shown below:

Who are affected?

This variant of the WannaCry ransomware attacks older Windows-based systems, and is leaving a trail of significant damage in its wake. Europe has the highest detections for the WannaCry ransomware. The Middle East, Japan, and several countries in the Asia Pacific (APAC) region showing substantial infection rates as well.

WannaCry’s infections were seen affecting various enterprises, including those in healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.

What does WannaCry ransomware do?

WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.

WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.

What makes WannaCry’s impact pervasive is its capability to propagate. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.

Observations

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options – details: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges to copy payload to and transfer control to it later.

By remotely gaining control over victim PC with system privileges without any user action, the attacker can spray this malware in local network by having control over one system inside this network (get control over all system which is not fixed and affected by this vulnerability) and that one system will spread the ransomware in this case all over the Windows systems vulnerable and not patched to MS17-010.

Behavior:

By using command-line commands, the Volume Shadow copies and backups are removed:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

File-size of the ransomware is 3.4 MB (3514368 bytes)

Authors called the ransomware “WANNACRY” – string hardcoded in samples.

Ransomware is writing itself into a random character folder in the ‘ProgramData folder with the file name of “tasksche.exe’ or in C:Windows folder with the file-name ‘mssecsvc.exe’ and ‘tasksche.exe’.

Examples:

C:ProgramDatalygekvkj256tasksche.exe

C:ProgramDatapepauehfflzjjtl340tasksche.exe

C:/ProgramData/utehtftufqpkr106/tasksche.exe

c:programdatayeznwdibwunjq522tasksche.exe

C:/ProgramData/uvlozcijuhd698/tasksche.exe

C:/ProgramData/pjnkzipwuf715/tasksche.exe

C:/ProgramData/qjrtialad472/tasksche.exe

c:programdatacpmliyxlejnh908tasksche.exe

Ransomware is granting full access to all files by using the command:

Icacls . /grant Everyone:F /T /C /Q

Using a batch script for operations: 176641494574290.bat 

What can we do?

WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.

Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:

Patching

  • The ransomware exploits a vulnerability in SMB server. Patching is critical for defending against attacks that exploit security flaws. A patch for this issue is available for Windows systems, including those no longer supported by Microsoft. Here is the patch details from Microsoft.
  • Additional patches for older OS’es not already included in main MS17-010 bulletin above (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
  • Upgrade from obsolete Windows versions to the latest one. In case there is a concern about commercials, you may easily migrate to linux environment.
  • In case there is old hardwares (which does not support latest windows version), then better to go for desktop virtualization (thin client/zero client) so that next operation/management strategies will be better.
  • The WannaCry ransomware appears to only attack unpatched computers running Windows 10. But this doesn’t mean those whose computers run on Apple or Linux code should feel smug. They, too, should regularly update with software patches as they’re issued.

Endpoint and Gateway Security

  • Ensure Desktop/Laptop/Mobile devices are protected with antivirus, personal firewall, antimalware etc. If possible, it is better to go for total protection from an OEM, which are already internationally bench-marked.
  • Deploying firewalls and intrusion detection / prevention systems can help reduce the spread of this threat. WannaCry reportedly also uses spam as entry point. Identifying red flags on socially engineered spam emails that contain system exploits helps. IT and system administrators should deploy security mechanisms that can protect endpoints from email-based malware
  • A security system and practice must be deployed for continuous monitoring and management for proactively action on potential attacks in the network.
  • WannaCry drops several malicious components in the system to conduct its encryption routine. Application control based on a whitelist can prevent unwanted and unknown applications from executing. Behavior monitoring can block unusual modifications to the system. Ransomware uses a number of techniques to infect a system; defenders should do the same to protect their systems

Regular Backup

  • Ransomware will target the files and software in your system. So it is best to keep them backed up regularly. The best way to protect them offline using external harddisk somewhere away from the reach of the internet.
  • Incase backup is taken on cloud; the backup mechanism should run on intervals. It should not be always connected.
  • Ransomware infects at the system level. Hence complete backup of your Windows OS will also be helpful

Connectivity

  • Ransomware attacks are all through the internet. Hence it is essential to have a control on the path between your computer and the Internet.
  • WannaCry encrypts files stored on local systems and network shares. Implementing data categorization helps mitigate any damage incurred from a breach or attack by protecting critical data in case they are exposed
  • Network segmentation can also help prevent the spread of this threat internally. Good network design can help contain the spread of this infection and reduce its impact on organizations.
  • Whenever connectivity is not needed, the path should be closed or connectivity should be disconnected.
  • When you’re using public WiFi networks, make sure you tell your system that you’re on a public network (many will ask if it’s a public or home computer.) That tells your operating system that it’s functioning in a potentially threat-filled environment and it will close off some of its more vulnerable software ports to the outside.

Proactive Measures instead of Reactive

This is not end of it. Rather more destructive versions will be popping up soon. Hence remediation of present threat will not give us a resolution. Security is a journey, not a resolutions. Hence below measures should give us some breathing space:

  1. Network and Application Audit on regular intervals (vulnerability Assessment and penetration testing)
  2. 3rd Party Risk Assessment and Business Continuity Planning
  3. Information Security Process Adherence as per international bench-marking , certification, compliance and regular governance.
  4. Remediation as per GAP Analysis continuous basis
  5. Deployment of tools and technologies for proactive measures.
  6. Close harmony between people-process and tools.


Source: sushobhanm.wordpress.com


Leave a Reply