Protect Your Organization From WannaCry Ransomware with Carbon Black

WannaCry_Lead
Brian_Baskin
Exec-CB-Metallic-Mike-Viscuso
May 13, 2017 / Brian Baskin Michael Viscuso

While organizations have been under threat from ransomware for years, the attack landscape has been very narrowly focused. Victims tended to have to manually enable the attack through some method, such as opening email attachments or downloading unverified software. Much of that has changed with the large-scale WannaCry ransomware campaign that occurred on Friday.

 width=

Tens of thousands of systems have already been compromised, and the attack is still ongoing. Along with our peers in the industry, Carbon Black’s Threat Research Team has been actively analyzing the malware and its threats.

What we found was that the ransomware does not have any truly novel tricks up its sleeve. It is standard ransomware that, upon execution, creates dozens of files in its current location and starts infecting the system. It targets a specific set of file extensions, more than 150 of them, beginning with known Office documents, which is also in line with many other known ransomware families. What is truly unique about it is its method of delivery, which is believed to be through the now-known ETERNALBLUE exploit.

While the number of incidents is extremely high, many are believed to be the result of poor security posture. Protection against the ETERNALBLUE exploit is fairly basic. The exploit targets servers with SMB network sharing exposed to the Internet, a feature that should be immediately considered for deactivation. Servers are targeted over the standard network ports for the SMB service, all of which can be actively disabled in an organization’s firewalls.

More importantly, these exploits have been actively resolved by current, and ongoing, patches released by Microsoft. Patches should be considered for immediate testing and release within an environment. These suggestions follow the established SMB Security Best Practices.

Additionally, Carbon Black customers have multiple defenses against WannaCry ransomware:

Cb Defense’s default policy will block WannaCry ransomware. Carbon Black is focused on delivering more focused protection against ransomware threats, the most prevalent and damaging attacks across industries. Cb Defense is ever-evolving such that new features will detect malicious activity from ransomware such as WannaCry and disable the malware before damage is done, even as it morphs.

Cb Protection running in Medium or High Enforcement mode will, by design, automatically prevent the ransomware from execution. This is due to Cb Protection’s strength in preventing execution of unknown binaries, especially those of very suspicious origins.

Cb Response will detect this threat using a combination of both behavioral and intelligence-based indicators. Notably, Cb Response and Cb Threat Intelligence contain watchlists for applications attempting to remove Windows Volume Shadow Copies via vssadmin.exe. Specific queries can easily be written to search for this behavior, and others like it. WannaCry, in particular, creates a single command line call to pave the way for its destruction:

“cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet”

Aspects of this attack can be detected using standard, intuitive queries. The removal of volume shadow copies can be detected through the query below:

((cmdline:vssadmin cmdline:delete cmdline:shadows cmdline:quiet) OR (cmdline:wmic cmdline:shadowcopy cmdline:delete))

The ransomware then disables the Windows Startup Repair mode, a feature that would allow users to boot Windows into a safe recovery mode to delete ransomware. This activity can be queried by:

(cmdline:bcdedit cmdline:default cmdline:recoveryenabled cmdline:no)

WannaCry takes the additional step of deleting existing backups using the Windows Backup command-line utility, wbadmin.exe. This action is not taken by many ransomware families and so many organizations do not have queries in place to search for it. This is easily performed with:

(cmdline:wbadmin cmdline:delete cmdline:catalog cmdline:quiet)

Ransomware is on track to be an $1 billion crime in 2017, according to FBI data. That’s a substantial increase from 2015, when ransomware was a “mere” $24 million crime. Additionally, ransomware emerged as the fastest-growing malware across all industries in 2016. It appears that healthcare is now in the cross hairs.

There are immediate steps your organization can take today to protect against WannaCry and other ransomware variants.

  1. Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it’s working.

     

  2. Secure your offline backups. Backups are essential: if you’re infected, a backup may be the only way to recover your data. Ensure backups are not connected permanently to the computers and networks they are backing up.

     

  3. Configure firewalls to block access to known malicious IP addresses.

     

  4. Logically separate networks. This will help prevent the spread of malware. If every user and server is on the same network newer variants can spread.

     

  5. Patch operating systems, software, and firmware on devices. Consider using a centralized patch-management system.

     

  6. Implement an awareness and training program. End users are targets, so everyone in your organization needs to be aware of the threat of ransomware and how it’s delivered.

     

  7. Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.

     

  8. Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.

     

  9. Block ads. Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.

     

  10. Use the principle of “least privilege” to manage accounts: No users should be assigned administrative access unless absolutely needed. If a user only needs to read specific files, the user should not have write access to them.

     

  11. Leverage next-generation antivirus (NGAV) technology to inspect files and identify malicious behavior to block malware and non-malware attacks that exploit memory and scripting languages like PowerShell.

     

  12. Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.

     

  13. Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.

     

  14. Conduct an annual penetration test and vulnerability assessment.

Stopping ransomware requires a defense-in-depth approach; there is no silver bullet to security. Software alone is not the answer. IT and SecOps teams must build a strategy that combines user training, next-generation endpoint security, and backup operations.

Every strategy should start with the simplest, most immediate risk-mitigation techniques available in order to limit the attack surface. Concurrently, user training and backup infrastructures should be evaluated, implemented, and practiced.

And please, patch, patch, patch!

TAGS: Carbon Black / ransomware / WannaCry

Related Posts