wannacry ransomware attack: what to do now
TRANSCRIPT
WannaCry Ransomware WHAT TO DO NOW
Diana Kelley
May 16, 2017
Executive Security Advisor IBM Security
Kevin Albano Jim Brennan X-Force IRIS Global Lead for Threat Intelligence IBM Security
Director of Strategy and Offering Management IBM Security
2 IBM Security
Overview
• What is WannaCry?
• The anatomy of the attack
• How to protect my organization NOW
• Back to basics
• Best practices
• Next steps
3 IBM Security
What is the WannaCry ransomware attack?
• Began on May 12 but leverages previously known exploits
• Infiltrates endpoints and encrypts all the files, demanding a ransom payment $300 USD in bitcoin
• Exploits a known Windows vulnerability that enables remote code execution ̶ Microsoft Windows patch was
available in March; those who didn’t address this patch are vulnerable
• Crippled at least 100K organizations across multiple industries in over 150 countries
• 200K+ infected endpoints
4 IBM Security
What makes WannaCry so sophisticated?
• The malware uses highly potent NSA exploits that were allegedly leaked by “ShadowBrokers” in April 2017
• Exploits a flaw in the Server Message Block (SMB) that enables it’s worm-like propagation
• Uses strong, asymmetric encryption, employing the RSA 2048-bit cipher to encrypt files
• Uses a modular architecture which is used in legitimate software and in complex malware projects like banking trojans
5 IBM Security
WannaCry: The Anatomy of the Attack
• Crippled at least 100K organizations across multiple industries in over 150 countries
• 200K+ infected endpoints
• $60,000 paid so far but will rise and paying ransom is not recommended
• Ransomware slowed down by the accidental discovery of a killswitch
• However new variants have emerged with no killswitch or different domains
LATEST INTEL
ROOT CAUSE FIRST STAGE EXECUTED PROPOGATION STEP 1 1 2 3 PROPOGATION STEP 2 4
invokes SMB protocol for port scanning
Attempts ‘DoublePulsar’ backdoor to send WCry to target endpoint , propogates
‘EternalBlue’ scans servers for DoublePulsar’; If not found, delivers Wcry and propagates
DROPS TOR CLIENT
INITIATES ENCRYPTION RANSOWARE NOTICE 6 7
Launches Tor client on infected endpoint, anonymizing communications
Encrypts 160 file extensions and deletes shadow copies
5
Displays ransomware message with instructions to decrypt
?
6 IBM Security
How can I protect my organization now?
Scan for DOUBLEPULSAR during cleanup and confirm anti-virus signatures are up to date
Reduce your attack surface by ensuring that all Windows systems are patched (MS17-010)
Block SMB ports (particularly ports 139 and 445) from external hosts; Block UDP ports 137 and 138 from the local network to the WAN
Disable SMBv1 and SMBv2 and only permit SMBv3 connections by policy on clients
Back-up critical data on a regular basis
1
2
3
4
5
7 IBM Security
PATCH Apply critical vulnerability patches to reduce attack surface BLOCK
Protect networks from advanced threats and malware
MONITOR Leverage deep security analytics to correlate disparate data, detect emerging threats
RESPOND Orchestrate an incident response plan
Security best practices
8 IBM Security
Fragmented defenses, slow to respond
Insufficient Visibility
Sporadic Endpoint Hygiene
Silos of Teams and Tools
Patching 101: Where endpoint tools are challenged PATCH
9 IBM Security
Ensure ability to discover and report on all endpoints (including unmanaged ones) regardless of location and bandwidth
Automate patch deployment to impacted endpoints wherever possible
Utilize closed-loop verification to ensure patch success
Apply critical vulnerability patches enterprise wide to reduce attack surface
1
2
3
PATCH
Enable a state of continuous policy enforcement across endpoints to reduce attack surface 4
10 IBM Security
Deploy network protection devices in-line
Ensure you have IP reputation and URL filtering feeds to enable automatic blocking of malicious site access
Ensure network protection signatures, firmware are up-to-date
Block malware and advanced threats from entering into your network
1
2
3
BLOCK
11 IBM Security
Detect emerging threats by leveraging deep security analytics
MONITOR
Get a common, correlated view with prioritization of security analytics relevant logs, network traffic flows and user behavior
Deploy network security devices to detect malicious software and exploit activity in real-time
Use cloud-based malware analysis service with automatic send/receive capability for rapid for threat identification
1
2
3
Leverage cognitive to go beyond structured data limitation and incorporate the latest global research insights on active threats 4
12 IBM Security
Get help from highly skilled experts with incident management and security intelligence experience to help you during a crisis
Preparation is paramount; Develop an incident response plan and test it to align people, processes and technology
Ensures IR processes are consistent, proven, easy to refine, and compliant
Identify, detect, contain and remediate threats before they spread and cause more damage
Transform incident response to align people, process, and technology
Enable decisive action through complete IR orchestration and automation
RESPOND
1
2
3
4
5
13 IBM Security
PATCH Apply critical vulnerability patches to reduce attack surface (BigFix) BLOCK
Protect networks from advanced threats and malware
IBM Security is here to help
• QRadar w/ Watson • X-Force Exchange • X-Force Malware
Analysis
• QRadar Network Security (XGS)
• BigFix
• Resilient • BigFix • X-Force IRIS
MONITOR Leverage deep security analytics to correlate disparate data, detect emerging threats
IBM Managed Security Services
RESPOND Orchestrate an incident response plan
14 IBM Security
Next steps
• Follow the updates on X-Force Exchange
• Refer to X-Force Ransomware Response Guide to evaluate organizational readiness
• Learn more about protecting your organization: sign up for our webinar series to learn more about monitoring, patching, blocking & responding
For immediate help, call the IBM X-Force Incident Response Hotline
USA +1-888-241-9812 Global +1-312-212-8034
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU