How To Stop WannaCrypt Infections With The Cato Cloud

Share and earn Cybytes
Facebook Twitter LinkedIn Email

What’s being called the “largest” ransomware attack in history and an “audacious global blackmail attempt,” WannaCrypt broke out Friday evening. In a matter of hours, the ransomware has swept across 45,000 computers in 74 countries.

Like many ransomware attacks, WannaCrypt leverage phishing as an attack vector. But what makes the attack so unusually virulent is how it exploits a vulnerability in the Windows SMB protocol. SMB is used by Windows machines for sharing files and the ransomware uses SMB to spread to other vulnerable devices on a network.

IT managers should take immediate action to protect their users and networks against the ransomware, whose technical name is WCry and has also been referenced by names such as WannaCry, WanaCrypt0r, and Wana Decrypt0r. All Windows-based machines should be updated including industrial devices, such as ATMs, and Windows 10 devices, which were not targeted, by the attack. Detailed steps are provided below.

Attack Vectors

What’s particularly interesting about WannaCrypt is that it uses an “EternalBlue,” an alleged NSA attack that was leaked last month.

EternalBlue exploits the vulnerability in Server Message Block (SMB) version 1 (SMBv1) protocol to spread between machines. More specifically, the attack exploits a vulnerability in the way an SMBv1 server handles certain requests. By sending an SMBv1 server a specially crafted packet, an attacker could cause the server to disclose information and, at its worst, allow for remote code execution.

Once installed, the ransomware encrypts the files on the machine. Victims are asked to pay $300 to remove the infection (see Figure 1). Some WannaCrypt actors are also dropping “DoublePulsar” onto the machines. DoublePulsar is a “malware loader” used by attackers to download and install other malware.

Figure 1: Sample WannaCrypt screen

The attack was thought to be mitigated by a “killswitch” discovered by a security researcher last week. The security researcher registered a domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com) called by the malware. Seeing a registered domain, the malware stopped its operation.

IT managers should remain vigilant, though. The threat could be easily changed to use a different domain. To date, no such variant has been found, despite earlier claims to the contrary.

What You Can Do

Cato Research recommends that all organizations update their Windows machines (including those running XP and other, unsupported Microsoft versions). Due to the scale of the attack, Microsoft took the unusual step of releasing a patch for older, unsupported Windows versions. The Microsoft Research team says Windows 10 customers were not targeted by the attack, but the operating system is still vulnerable and should be updated.

In the near term, Cato customers should take four actions until they are certain all systems have been updated and the attack subsides:

-Use URL Filtering to stop phishing efforts.

-Disrupt WannaCrypt communications with the Internet Firewall.

-Scan incoming files with Threat Protection.

-Prevent the ransomware from spreading, if you should be infected, with WAN Firewall.


Cato customer can stop the phishing vector by immediately enabling URL filtering (Figure 2) and configuring application control policies. Any unknown domain access should be blocked until all systems are updated and attack is over, which is likely to last another week or so.

Figure 2: IT should block access to unknown domain by enabling URL filtering in Cato

Application control should be used to block access to TOR nodes, preventing the malware from communicating back to the C&C server (Figure 3).

Figure 3: By configuring Cato’s Internet Firewall to block TOR traffic, IT managers disrupt communications back to C&C servers.

Threat protection should also be enabled to scan every download and payload (Figure 4).

Figure 4: Cato threat protection blocks infected files and messages

Finally, the Cato Cloud should be configured to inspect WAN traffic, preventing WannaCrypt from spreading across the company in the event of an infection (Figure 5). This is done by blocking unnecessary SMB traffic between branches. In the case of an attack, users should be limited to the local a site or, if necessary, a VPN, – not the entire WAN.

Figure 5: By enabling WAN firewalling, the Cato Cloud can keep WannaCrypt to one location.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Cato Networks
Cato Networks is rethinking network security from the ground up and into the Cloud. Cato has developed a revolutionary new Network Security as a Service (NSaaS) platform that is changing the way network security is delivered, managed, and evolved for the distributed, Cloud-centric, and mobile-first enterprise. Based in Tel Aviv, Israel, Cato Networks was founded in 2015 by cybersecurity luminary Shlomo Kramer, who previously co-founded Check Point Software Technologies and Imperva, and Gur Shatz, who previously co-founded Incapsula.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?