The WannaCry ransomware has gained publicity worldwide after quickly spreading to more than 200,000 computers in 150 countries in just one day. Once on the infected computer, the worm encrypts all data and requests ransom payments of several hundred dollars in the cryptocurrency bitcoin.
The ransomware affected several large companies including Telefónica, Gas Natural and Iberdrola in Spain, Britain’s National Health Service (NHS), FedEx in the US, Deutsche Bahn and LATAM Airlines. While specific infections of ICS networks have yet to emerge, their likelihood is extremely high, causing companies such as Renault to stop production at several sites.
Network monitoring is the key to detect and respond to this threat in a timely manner, even in the aftermath of the infection. Here we provide more details about how the ransomware works, three simple tips that asset owners can follow to prevent the infection, and how SilentDefense can make their life easier.
How Does Wannacry Work?
The ransomware targets computers with a Windows operating system. It infects and spreads through its victims via several vectors, including spear phishing emails and utilizing critical network vulnerabilities using known exploits, such as EternalBlue and DoublePulsar, both supposedly developed by the U.S. National Security Agency (NSA).
Both vulnerabilities target the Server Message Block (SMB) server. SMB is embedded and enabled by default in every Windows OS, making the attack surface quite extensive (unless restrictive configuration has been applied).
Microsoft issued a critical security bulletin regarding this vulnerability back in March 2017 (MS17-010), and delivered patches for the affected operating systems a month later.
An early version of WannaCry contained a kill switch mechanism. The ransomware would determine whether it should take further actions by querying for a specific Internet domain at start up time. By leveraging this mechanism, it was possible to slow down its spread after the initial infection. Experts expect the kill switch mechanism will not be included in future versions, so modified versions of the ransomware might be harder to stop.
What Should ICS Asset Owners Do?
While a proper segmentation between IT and OT networks might make the worm’s spread harder, it will not eliminate the risk. In fact, the worm can find other ways into the ICS network, for instance through a third-party contractor’s laptop during maintenance or configuration activity. Below are three effective countermeasures to protect your network from WannaCry:
- The simplest countermeasure of all is to avoid opening links or attachments from suspicious emails or senders.
- Leverage your asset inventory information to identify vulnerable computers and apply the patches released by Microsoft. Specific patches have also been released for legacy OS versions, for which support has ended (Windows XP, Windows Server 2003). As legacy systems might stop working after this, the assessment of whether patching or not should be carefully conducted and thoroughly tested.
- Leverage your asset inventory information to identify vulnerable computers and disable SMB version 1, since the vulnerability affects this version specifically. Several applications and systems might be relying on SMB version 1 in industrial environments, so some of those might stop working as expected after this configuration change. The assessment of whether disabling SMB version 1 or not should be carefully conducted and thoroughly tested.
How Can SilentDefense Help?
SilentDefense is a passive network monitoring and threat hunting platform. It features advanced capabilities to automatically create an inventory of active network assets and flows, detect exploitation attempts and cyberattacks, and identify existing and emerging threats in the network.
In the specific case of WannaCry, SilentDefense can help automate several tasks and speed up incident response. Here is a simple mapping between SilentDefense’s features and how it helps to protect your network from WannaCry.
How It Helps with WannaCry
Detects exploitation of the MS17-010 vulnerability, along with the ransomware’s anomalous DNS request, out of the box and with no updates required, through our whitelisting and signature-less detection engines.
WannaCry spreads within corporate networks by leveraging an SMB vulnerability. Since the disclosure of the working exploit(s), security experts and vendors have released several signatures. While this is a quick and easy way to deploy a rapid initial line of defense, attackers could modify the exploit payload to evade detection. Hence, a signature-less approach like SilentDefense’s is needed.
Automatic creation of an asset inventory of systems running the Windows OS, including its version, and what version of SMB is being used. Network map displaying communication links between IT and OT networks over SMB.
Automating the asset inventory creation for identifying and applying patches to vulnerable systems and disabling SMB version 1. The visualization of communication links between IT and OT networks using SMB allows the identification of possible ways for the ransomware into the OT network, enabling users to prioritize the patching or configuring firewalls to block those communications.
Enabling threat hunting teams to further define indicators of compromise and analyze network traffic.
Running additional analysis of network traffic and identifying new variants of the ransomware.