I don’t mean to sound lackadaisical certainly we need to be aware of any new variant in the battle against ransomware. We are continuously reviewing the ransomware prevention kit to see what tweaks might be necessary to enhance the protections against new variants. The bad guys are always going to be out there trying new things.
But this weekends WannaCry ransomware outbreak wasn’t built by a new genius it was just another person taking advantage of lax attitudes toward patching and security. Essentially the writer was counting on the idea that IT was not adhering to certain well accepted best practices.
Sure you will always have those machines that can’t apply patches, have to remain XP, require SMB1.0, that add security risks. Yes those exceptions to the rule exist but attacks like WannaCry only work if the exception becomes the rule.
Am I calling out my fellow IT admins here? Yes, I kind of am. There will always be exceptions to every policy but a secure network should not succumb to them. Best practices are what separates a professional from everyone else. As an IT professional I take pride in my role in a well secured and productive business.
There’s just no substitute for good IT. No software package is going to save us from the scourge of ransomware. It is up to IT to put the policies in place to protect the network.
Let’s break down how WannaCry gets on your network
Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. According to open sources, one possible infection vector is via phishing emails.
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.
The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.
This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.
The information in this FLASH was obtained through an FBI investigation and is provided in conjunction with the FBI’s statutory requirement to conduct victim notification as outlined in 42 USC § 10607
The above is the official word from the FBI.
You should also read this article from our friends at Bleeping Computer. Lawrence has been a guest with us and writes excellent break-downs on how specific ransomware variants work.
In summary it says:
This infection has two significant parts. One is a worm that executes the code to begin encryption, and stop certain services.
The worm uses SMB1 to discover files shares on the network. Once there it runs a command to change the permissions to Everyone so it can encrypt all of the files. When it encrypts the files it changes the name of the file by appending .WNCRY
It attempts to stop certain services so that it can encrypt your sql and mail server databases. Here are the list of services that it stops using the taskkill command: mysqld.exe, sqlwriter.exe, sqlserver.exe, msexchange.exe
After it is done encrypting then it runs a .exe file to display the ransom note.
How do you prevent it?
- You patch your systems. The worm can’t run if patches released in March 2017 were applied to the system. That’s it. Truly it was that simple. If the machine was patched then this infection can’t event get started. Specifically this patch: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
What other steps can you take?
Before you ask, yes even if your systems are fully patched and you’ve made sure that you are safe for today you should still take some additional steps. These additional steps might just protect us against a future variant. We can see the pattern that this attacker used. Sure a simple patch vulnerability was used this time but something else might be used next time to allow the type of activity to run in the future.
- Turn off SMB 1.0
- Add .WNCRY to the list of not allowed file type in FSRM
- Do not allow .dll’s to run from user locations
- Block access to https://dist.torproject.org
- Make sure that users are not running as Admin on their computers
All but the first item in that list are currently in the ransomware prevention kit. You have the tools! Let’s use them to prevent the next variant of this infection from happening to our networks.
Instructions for disabling SMB 1.0 on your computes will be soon added to the ransomware prevention kit.
About Third Tier
Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.