By: pu239
July 6, 2017
Response & Action | The Post WannaCry Ransomware Attack Report
By: pu239
July 6, 2017
What happened?
The WannaCry strain of encryption-based ransomware, also known as Wanna Decryptor, WCRY, or WannaCrypt, began spreading through Europe to Windows-based computers on May 12, 2017, and holding victims’ data hostage for ransom.
As the day progressed, many large firms in Spain, Britain, Russia, China, and Portugal were forced to shut down part or all of their operations due to the attack. Within a week of the attack, it is estimated over 300,000 computers were infected.
While the attack also made its way to the U.S., to date, the list of U.S. victims is relatively small by comparison.
Response:
As soon as news of the WannaCry ransomware propagation was discovered (very shortly after the attack began), we kicked off focused vulnerability scanning on our client’s networks looking for the specific vulnerability. AlienVault, an industry leading SIEM, Vulnerability Scanner, Asset Scanner and Intrusion Detection System, was utilized for vulnerability scanning. AlienVault updates itself several times daily and, through its onboard heuristics, had already escalated the vulnerability threat to its highest possible level prior to these scans.
We actively communicate with our clients to inform them of the threat and provided a detailed explanation of what was going on both globally and within their network. Additionally, we identified how it could affect their business, and how we were moving forward with prevention and remediation.
Action:
It was identified that a critical update for Microsoft Windows SMB Server, available in Security Bulletin MS17-010, needed to be installed on all Microsoft Windows workstations and servers. Also, as a countermeasure, we verified that our clients’ firewalls and routers blocked TCP ports 445 and 139.
Our AlienVault vulnerability scan reports provided us with a comprehensive list of assets that were vulnerable to the WannaCry ransomware threat on our clients’ networks (i.e. all Windows machines that did not have MS17-010 applied) and within minutes of receiving the results of the scans, we had formulated a plan to begin patching and updating the affected assets. We conferred with our clients and began moving forward with prevention and remediation.
Within 24 hours of news of the outbreak, our clients Microsoft Windows workstations and servers that didn’t already have update MS17-010 applied, had been patched. In this case, it was less than 3% of the total number of workstations on our clients’ networks. Our clients’ servers had already received and installed the update prior to May 12th.
What did we learn?
1) Rapid identification and the initial response is critical. The sooner an active threat is identified, the sooner everyone not affected can begin working to minimize the threat to their business.
2) Frequent vulnerability scanning and system patching are essential to ensuring identified vulnerabilities are addressed, and don’t escalate into immediate threats. Since we regularly scan for vulnerabilities and perform system patching and updating for our clients, only a very small percentage of our clients’ computers were vulnerable to the WannaCry threat, thus reducing their threat matrix, vulnerability footprint, and remediation timeline. A total win-win situation.
3) Vulnerabilities initially identified as an “info” or “low” (minor) threats or vulnerabilities can rapidly become classified as serious or “High”. Originally identified by Microsoft in March of 2017, this threat was globally classified as an “Info” (very low) severity level threat, as seen in the image below from a Vulnerability scan run on one of our client’s network prior to May 12th: However, within minutes of the WannaCry outbreak, AlienVault had reclassified this same vulnerability to “High” severity:
4) No matter how frequently an organization does vulnerability scans and runs system updates, some assets will slip by or get skipped. This can be due to any number of factors, including, but not limited to:
• Workstation or laptop powered off during scheduled run of vulnerability scan or system update
• Workstation or laptop in a remote location and not connected to the corporate network or have any available WIFI connection.
• Antivirus software interferes with scan or update due to false-positive classification.
• The list goes on and on…
Plan and execute random vulnerability scans whenever feasible and possible outside normally scheduled times. This may help catch assets that weren’t scanned previously.
