Way forward on “Wannacry”ransomware

May 15, 2017 6:09 am Published by Leave your thoughts

It has been reported that a new ransomware named as “Wannacry” is spreading widely. Wannacry encrypts the files on infected Windows systems. This ransomware spreads by exploiting vulnerable Windows Systems. As you must be aware that there is huge Ransomware attack across globe which affected more than 90 countries. Following are few details about the threat.

What does it do?

  • Encrypts files on Windows desktops/servers
  • Computer is not usable until 300 bitcoins r paid to given acct
  • There is a timer until which the amt is to be paid
  • After that seemingly, all the files are deleted.

What is the root cause?


Vulnerabilities in Windows SMB (samba) service is exploited by a phishing attack.


How does it infect?


Approach1:

  • User clicks on phishing link
  • An exe is downloaded from the page – it downloads other files
  • Encrypts files on the machine
  • Deletes some system files
  • Finds other machines on network via samba ports

Approach2

  • If samba ports of Windows servers/pcs are open to internet, they can be directly attacked by hackers
  • Approach3
    Exe in email attachment
    From the speed at which it is spreading, Approach2 seems more common.

Are Linux based servers/applications in danger?

  • Until now, Linux server/desktop is not yet reported.
  • But as a safety measure we should block incoming connections to samba ports
  • Samba ports to block in external firewall
    139
    445
    3389

Analysis of Wnacryptor 2.0

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.

On Twitter, whistleblower Edward Snowden blamed the NSA.

“If NSAGov had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened,” he said.

“It’s very easy for someone to say that, but the reality is the US government isn’t the only one that has a stockpile of exploits they are leveraging to protect the nation,”

“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”

The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare.The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.

On Twitter, whistleblower Edward Snowden blamed the NSA.

“If @NSAGov had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened,” he said.

“It’s very easy for someone to say that, but the reality is the US government isn’t the only one that has a stockpile of exploits they are leveraging to protect the nation,”

“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”

The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare.

Concerns

  • Indicator of compromises, batch file content and affected files are changing with similar worm sample on different endpoints. Hence scale is gigantic, complex and worm is changing its functioning.
  • Decryption is difficult. Older decryption techniques of similar ransomware families not proving to be useful.
  • Immature asset mapping not helping in defense. Mapping servers and endpoints against windows version is a key to the mass disinfection in an organization (if already done).
  • Worm reverse engineering is helping but because it is self-replicating, complete erasure is proving to be an arduous task.
  • Reaching out to workforce for awareness is imperative. Its success yet to be realized due to weekend. Some organizations have organized project and functions specific awareness sessions for two weeks going forward.
  • Rules reconfiguration in Firewall/IPS/IDS helping but DLP rules reconfiguration resulting in false positives .Hence affecting business email services or access to key resource places.
  • It is difficult to analyze the SMB traffic. Switching off SMB services seems to be the only option.
  • Encryption is performed in the background. Hence, it is difficult to detect.
  • Malware is proxing the traffic hence able to achieve anonymity.
  • Malware is designed in such a way that it can deliver many type of payloads. What organizations would block in upcoming days is a big question?
  • Blocking connection to TOR ‘nodes and network’ working for organizations.
  • SMB publicly accessible via internet should block inbound traffic
  • Be ready with backups and disaster recovery strategy.
  • SoCs and NoCs of Indian organizations to implement IoCs received or issued by Cert-India.
  • Few variants of these attacks partially works. They may not be encrypting files because ransomware archives are corrupted in it. It is analyzed they are acting as backdoors for other similar variants families to enter in to organizational network.
  • Creating a skill hole to redirect is an effort, which has worked to slow down the infections.
  • Monitoring all vectors is imperative for the organizations. Do not restrict it only to email and SMB aspects.
  • It is also executing massive scanning on internet IP addresses to find and infect other vulnerable computers.r

Steps to run on user’s terminal to prevent and protect against this threat

  • To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
  • We recommend customers that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, we  also recommend two possible workarounds to reduce the attack surface:
    • Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously
    • Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
  • Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update. Enable Windows Defender Antivirus to detect this ransomware. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
  • For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
  • Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
  • Monitor your network with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities.  Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook.
    https://blogs.technet.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
  • We request you to send a mail to all users. A mail to aware the users about the precautions to avoid their Desktop from getting infected by Ransomware. In that mail, ask users to not open any unexpected mail or attachment from the mail. Ask users to avoid opening the Microsoft Office Attachments like docx, pptx, etc. if the mail is expected.

Best practices for prevention of ransomware attacks:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
  • Keep the operating system and the third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
  • Maintain updated Antivirus software on all systems and deploy gateway level security as well.
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly from browser
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  • Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
  • Disable remote Desktop Connections, employ least-privileged accounts.
  • Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, Check regularly for the integrity of the information stored in the databases.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications.
  • Enable personal firewalls on workstations.
  • Implement strict External Device (USB drive) usage policy.
  • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP). Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Employ data-at-rest and data-in-transit encryption.
  • Network and Application Audit, vulnerability Assessment and Penetration Testing (VAPT) and information security audit are mandatory for critical networks/systems (especially database servers) at regular intervals.
  • 3rd party Risk Assessment, deployment of Information Security Framework (like ISO 27001:2013) will ad values.
  • Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released.

References :

https://sushobhanm.wordpress.com/2017/05/14/wannacry/

https://technet.microsoft.com/library/security/MS17-010

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

http://blog.talosintelligence.com/2017/05/wannacry.html

The post Way forward on “Wannacry”ransomware appeared first on Infocon.

Source: infoconglobal

Tags:

Categorised in:

This post was written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *