How Digital Resilience Can Help Prevent or Mitigate the Impact of a WannaCry (wcry) Ransomware Infection

By Emil Kiner, RedSeal Senior Product Manager

Background

On Friday May 12th, the WannaCry Ransomware worm (a.k.a WanaCrypt0r 2.0, wcry) caught the attention of security researchers around the world as it rapidly spread to at least 80,000 vulnerable machines spanning 100 countries. Wreaking havoc on Windows servers and user workstations alike, the ransomware worm quickly began disrupting operations at impacted organizations including dozens of hospitals within the British National Health Service which had to shut down IT systems and turn away patients. Mission critical systems across telecommunications, financial services, transportation, and manufacturing have had to be taken offline globally as system administrators had to restore systems from backups or in many cases, pay the ransom.

Once the infection takes hold on a vulnerable system, the behavior of the worm follows the well-worn pattern of other ransomware attacks seen over the past few years. All the files on an infected machine are encrypted using strong encryption. The user is instructed to deposit the ransom ($300-$600 in the case of WannaCry) to a Bitcoin wallet to receive the decryption key before a deadline at which point the malware deletes the key and the files on the infected machine become permanently inaccessible. To incentivize quick payment, the ransom amount increases overtime as the deadline approaches.

How it spreads and general mitigation strategies

Ransomware typically spreads through phishing campaigns or malicious websites that require the victim to click a link or open a file. However, the most recent incarnation of the WannaCry ransomware is unique in that the malware includes a self-propagating worm capable of rapidly infecting all vulnerable systems within an enterprise’s network without any user interaction. The worm is particularly virulent because one of its self-propagation capabilities leverages a recently patched vulnerability in Windows SMBv1 impacting Windows XP through Server 2012 and is believed to utilize a professionally developed weapons-grade exploit of said vulnerability.  The most recent analysis from malware researchers (Avast, Malwarebytes, Kaspersky) reveals that this exploit involves sending a specially crafted packet over TCP ports 445 and 139 and UDP 137 and 138,  to vulnerable systems with SMBv1 enabled.

To prevent risk of infection, enterprise security organizations and system admins should patch vulnerabilities as soon as practical. Although the MS17-010 patch for the underlying SMBv1 vulnerability was issued by Microsoft in March 2017, resource limitations or arduous change management processes often slow down the pace of patch deployment within an enterprise. Until the patch is applied, system administrators should make sure their perimeter defenses are blocking internet and other untrusted traffic on the implicated ports, particularly TCP 445. Where practical, administrators can disable SMBv1 on vulnerable endpoints which don’t require the ubiquitous Windows service. In addition, all users on the network should be reminded to practice good internet hygiene and scrutinize unexpected emails before clicking links or opening attachments. Finally, a robust backup strategy will mitigate the impact of infection and avoid having to pay the ransom.

How Digital Resilience through RedSeal can help

Organizations which are Digitally Resilient can protect themselves by decreasing risk of infection in the first place as well as decreasing the costs and time to recover from a compromise. RedSeal enables organizations to be more resilient by efficiently assessing, limiting, and monitoring exposure, prioritizing vulnerable systems for remediation or mitigation, and accelerate incident response in the event of compromise.

1) Assessing and limiting exposure
Since WannaCry is known to propagate through SMB, it is important to identify and close access to SMB at the perimeter of an organization’s network. RedSeal users can run an access query from all Untrusted Networks to Trusted to identify all devices and endpoints accessible from untrusted networks over vulnerable ports (445, 139, 3389). Next, a detailed path query for all identified access will reveal precisely which network devices are permitting the undesired access. At that point, device owners can be told which devices to update to eliminate access over the implicated ports from the internet or other third party networks.


Access Query Results from Internet to rest of internal network


Visualizing access from the internet to the rest of the network

2) Identify and prioritize vulnerable systems for remediation and mitigation

First, vulnerability managers need to perform a vulnerability scan of all Windows endpoints in their environments to identify all relevant vulnerability instances. Since the underlying SMBv1 vulnerability has been known for over a month, many commercial vulnerability scanners (e.g. Rapid7, Qualys, and Tenable) have incorporated a check for the relevant CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148. Once the vulnerability scan results are imported into RedSeal, users can first verify that all areas of their network were scanned by checking for unscanned subnets which are reported as MI-7 in the Model Issues tab. If unscanned subnets do exists, a detailed path query between the scanner location and the omitted subnet will reveal the network devices and the relevant routing or firewall rules that are preventing access. Next, the vulnerable hosts can be visualized in the RedSeal network model and sorted based on their local and downstream risk to provide a risk-based prioritization of hosts for remediation or mitigation based on business value as well as local network context.

3) Containment and mitigating controls

In the event that a patch can’t be deployed yet, RedSeal users can easily produce a list of mitigating controls to isolate and contain a vulnerable endpoint. The network model can be leveraged to discover all areas of the network that are accessible from the vulnerable endpoint. A subsequent detailed path query between the vulnerable endpoint and a downstream critical asset will reveal all network devices mediating access and where controls such as firewall rules can be deployed to reduce downstream risk.


Visualizing the threat from a vulnerable host to the rest of the internal network on the Network Map


Detailed Path from a vulnerable host to a critical asset

4) Validate controls and Monitor

Once controls are deployed to contain unpatchable endpoints, enterprises will want to continuously monitor and validate they are in place and effective. To do so, users can leverage the Zones & Policies feature to model a segmentation policy prohibiting access over port 445 between a zone containing unpatched hosts and untrusted networks and as well as to other critical zones of an enterprise’s network. As the network model is updated, compliance with the segmentation policies is continuously verified. If the network model changes (e.g. new network device or a configuration change on an existing device) creating an access path that violates the policy, RedSeal can raise an alert and identify the offending device and location in the configuration file.


Modeling a WannaCry segmentation policy verifying that unpatched systems aren’t accessible from untrusted networks and can’t access critical systems

5) Recover faster through accelerated incidence response

Finally, RedSeal can accelerate any incidence response activities to contain or isolate an infected system as well as to interrupt attack path leading to your mission critical assets. Starting with an indicator of compromise in your SIEM dashboard or given the address of the compromised endpoint, RedSeal users can run the Incident Response query to identify all accessible topology groups as well as underlying assets that are directly accessible by the compromised endpoint. Next, the incident responder can view the detailed path between the infected system and a high value downstream system to identify where to update a FW or routing rule to remove access. Splunk users can leverage our in-product integrations in the event dashboard as well as the Adaptive Response Actions to seamlessly launch RedSeal Incident Response and Detailed Path.


Incident Response query showing all reachable topology groups and all targets within that group from a vulnerable host


Detailed Path results from a compromised host to a critical web server

Conclusion

The outbreak and new analysis is still unfolding. Through sheer luck and quick thinking, the current outbreak of the WannaCry ransomware has been slowed by capturing a hard-coded domain for the command and control server. Security researchers warn that future revisions of the ransomware can be equally virulent and can use a different server or different CNC mechanism entirely. Additionally, there is a chance that other vectors for propagation outside the scope of the MS17-010 patch can still exist. One major take away is that in addition to patch management and continued education about social-engineering based attack vectors including phishing, network segmentation is critical to protect organizations from worms like this. A robust multi-layer network segmentation or micro-segmentation policy and enforcement will help in preventing future infections and mitigate damage in the event of compromise. RedSeal helps you be more resilient by enabling you to know your network, efficiently perform risk-based prioritization, and accelerating response.