May 12th, 2017 the WanaCry (or WCry, WannaCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) ransomware was unleashed and caused over 75,000 attacks in 99 countries.
How Does the WanaCry Ransomware Work?
The Ransomware initially entered organizations via a phishing email message and then exploited a vulnerability (MS17-010) in Windows to spread within a network locking down computers and asking victims to pay $300 via Bitcoin. The Windows vulnerability was leaked as part of the NSA Shadow Brokers hack and Microsoft soon after released a patch however many computers were not yet updated at the time of the attack.
What Should I do? What do NetWatcher Customers do?
Customer’s first need to ensure they are not vulnerable to the attack: NetWatcher Managed Detection & Response customers leverage a built-in vulnerability scanner that periodically scans their environment for vulnerabilities. If the customer was vulnerable to the new ransomware they would have seen the vulnerability titled “SMBv1 Unspecified Remote Code Execution (Shadow Brokers)” show up in their reports as a high severity issue and warned that they needed to patch the Windows asset.
Customer’s need to continuously monitor their network: NetWatcher customers leverage a Network Intrusion Detection System (NIDS) that continuously monitors their internet bound network traffic in case an issue like this is ever seen in the future. NetWatcher’s NIDS uses many rulesets. Some of the best indicators are from the ProofPoint/Emerging Threats Open NIDS ruleset and are used as a correlation vector to detect a WanaCry ransomware attack. Example signatures are as follows:
ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray
The NetWatcher’s cloud correlation service leverages these events (and many others) and creates Alarms when a threat like WanaCry worm is detected. Most NetWatcher customers set themselves up to receive High Security Alarms via SMS so they never miss a critical Alarm. If WanaCry is detected a customer would see an email or SMS titled: “WanaCry (or WannaCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) ransomware has been detected on XYZ asset!”
Ensure your monitoring your endpoints: NetWatcher’s endpoint Host Intrusion Detection (HIDS) and LOGS modules also add a high degree of value in producing events when ransomware is detected. The HIDS file integrity monitoring, rootkit detection and process monitoring events (as well as Windows security event log events) all aid the cloud correlation engine to determine what’s been exploited, how bad is the exploit and is it spreading. Any asset that not on the corporate network and running NetWatcher’s Sensor-in-the-Cloud™ endpoint could even be tracked remotely.
Respond quickly: Isolate any infected assets to prevent the malware from spreading.
What is NetWatcher?
NetWatcher is a 24×7 network and endpoint security monitoring service designed specifically for ease of use, accuracy and affordability. With NetWatcher you can reduce risk and support regulatory compliance security requirements. You get: § An advanced, tightly integrated, security platform that only the Fortune 5000 could afford in the past § Actionable threat intelligence on what malware exists in your enterprise and remediation guidance § Visibility into the unintentional insider threat — what your employees are doing on the network that is exposing the organization to exploit § A Secure Operation Center with security analysts monitoring your data and reaching out to your team when necessary § Easy to use customer portal designed for managers and IT, not for those hard to find security analysts, however you can go deep if you want… § Real time scores for today’s security situational awareness picture and the risk of exploit in the future
NetWatcher includes: § Host Intrusion Detection System (HIDS) Endpoint Agents § Network Intrusion Detection System (NIDS) § Security Information & Event Management System (SIEM) § Vulnerability Scanner § Net-flow Analysis § Actionable Threat Intelligence Use Cases: § Monitor Corporate Network and Assets for Security Exploits and Hygiene Issues § Monitor AWS, Azure or Google Cloud Servers § Monitor Off Network Assets (via Sensor-in-the-Cloud™) § Regulatory Compliance-as-a-Service support for HIPAA, FINRA, NIST 800-171, PCIDSS, GLBA, NYCRR 500, etc.)