[Incident Response]: How To Stay Protected From A Ransomware Attack like Wannacry?May 14, 2017
More than 99 Countries, Thousands of companies and networks have been hit by a ransomware known as WannaCry. It is one of the most dangerous and potentially destructive cyber attacks we have ever seen.
Some users clicked these photos, which suggests how dangerous and ubiquitous wannacry is. It has affected Airports, Hospitals, Restaurants, Railway Stations also disrupting services for millions of people in the world.
With MS17-010, the attacker is able to use just one exploit to get remote access with system privileges, meaning both steps (Remote Code Execution +Local Privilege Escalation combined) are using just one bug in SMB protocol. Analyzing the exploit-code in Metasploit by Rapid7, the exploit uses ‘KI_USER_SHARED_DATA’ which has a fixed memory address (0xffdff000 on 32 bit Windows) to copy payload to and transfer control to it later.
By remotely obtaining control over victim PC with system privileges without any user action, the attacker can spray this malware in local network by having control over one system inside this network (get control over all system which is not fixed and affected by this vulnerability) and that one system will spread the ransomware in this case all over the Windows systems vulnerable and not patched to MS17-010.
However, This security researcher helped find and activate a kill switch for the ransomware. he purchased a domain which worked as a kill switch for wanna cry, when he purchased it from namecheap for $10.69.
Here’s what happens when you are infected with WannaCry. Windows timer can change Wannacry timer, but we are not sure if it helps increasing time for paying the ransom. Do not try this if you don’t know what you are doing.https://web.archive.org/web/20200210163249if_/https://www.youtube.com/embed/0dt_Ot6mmc0?feature=oembed
[Update:] The creators of Wannacry changed the code and the new variant has no such feature as ‘kill switch ‘
So I can only add”accidentally stopped an international cyber attack” to my Résumé. ^^
— MalwareTech (@MalwareTechBlog) May 13, 2017
Turning off windows SMB service from windows features can also help in case of WannaCry/ WannaCrypt.
We will suggest some Incident Response tips, to make you ready for such attacks.
this tips are applicable for any Malware/Ransomware attack.
Let’s understand what is a Ransomware and how is it different from other malware types?
What is a Ransomware?
ARansomware is a type of malware that renders the victim’s computer or specific files unusable or unreadable, and demands a ransom from the victim in return for a cryptographic key which can be used to restore the computer or decrypt the encrypted files.
Here’s our guide for How to prevent ransomware?
How to stay protected against Ransomware Attacks?
We recommend taking the following measures to reduce the risk of infection: Some of these tips are for organizations having large networks.
1. Keep Auto Updates feature ‘on’ for your windows systems.
2. Ensure that security solutions are switched on all nodes of the network
3. Patch the systems regularlyBecause malware often enters systems through known vulnerabilities, the best step you can take to bolster defences is to aggressively patch your systems. This is, of course, one of SANS Institute’s Top 20 Critical Security Controls for Effective Cyber Defence: continuous vulnerability assessment and remediation. By eliminating vulnerabilities, the malware may not have a way to get on any of your computers in the first place.
4. Create and protect your backups
Ransomware destroys backup files and encrypts regular files, and this puts your organisation in a world of hurt. Therefore, it’s imperative to frequently back up all documents to a location that can’t be affected by the ransomware (e.g., to offline storage) and then verify that these files can be restored easily if needed. Even network shares or cloud storage may not be entirely safe, as files that have already been encrypted or corrupted by the ransomware could be automatically backed up to the network or the cloud, also corrupting the files in those storage locations.
Keep backup files in external hard drives, which are kept safe, isolated from a network/computer.
5. Connect with intelligence sources
Another big step during the preparation phase is to connect with industry intelligence and threat intelligence sources or industry lists specific to crimeware or ransomware and regularly feed those indicators back into detection mechanisms such as intrusion detection systems (IDS).
6. Protect your endpoints
Your organisation can deploy endpoint protection tools that have the ability to detect and automatically respond to infections in the early stages. Tools such as LogRhythm System Monitor, among others, can be used to detect these infections early and respond to them automatically and quickly so that they don’t become big incidents.
7. Educate users:
training is an effective means to teach people to avoid falling victim to phishing email messages that plant malware in the first place. Many attackers rely on social engineering tactics that are growing more and more sophisticated. End users need to know what to expect and what to look for in their messages to avoid infection.
8. Using tools like McAfee Ransomware Interceptor
Interceptor is a free Anti-Ransomware tool by McAfee. Interceptor is an early detection tool that prevents file encryption attempts by ransomware malware. This tool leverages heuristics and machine learning to identify such malware. so it doesn’t require updates or internet. It can save you from almost any kind of(not only WannaCry) ransomware attack.When we executed the locky ransomware Ransom: Win32/Locky.A in presence of McAfee Ransomware Interceptor. It stopped the execution process of the EXE file.
Download and install McAfee Ransomware Interceptor from this page: https://www.mcafee.com/uk/downloads/free-tools/interceptor.aspx
McAfee Ransomware Interceptor Stopped execution of Locky ransomware
9. Stop ransomware before the endpoint:
The most-proactive method of protecting a network from ransomware attack (other than the human firewall) is to keep ransomware from reaching the endpoint in the first place. Consider a web-filtering technology.
10. Apply all current operating system and application patches:Many ransomware strategies take advantage of vulnerabilities in the operating system or in applications to infect an endpoint. Having the latest operating system and application versions and patches will reduce the attack surface to a minimum.
11. Spam filtering and web gateway filtering:Again, the ideal approach is to keep ransomware off the network and the endpoint. Spam filtering and web gateway filtering are great ways to stop ransomware that tries to reach the endpoint through malicious IPs, URLs, and email spam.
12. Allow only whitelisted items to execute:Use an “application control” method that offers centrally administered whitelisting to block unauthorized executables on servers, corporate desktops, and fixed-function devices, thus dramatically reducing the attack surface for most ransomware.
13. Limit privileges for unknown processes:
This can be done easily by writing rules for host intrusion prevention systems or access protection rules.14. Containment:Look for signs of encryption and notifications. In the case of a targeted attack, make sure you have fully scoped the incident, then quickly develop a containment plan. Unlike mass distribution where you are usually dealing with one, two, or maybe a few hosts that are infected, a targeted attack is usually going to affect more systems. Therefore, you must scope the extent of the full attack.
15. Eradication: Replace, rebuild or clean machines
We usually recommend that machines be replaced rather than cleaned. As with any type of malware, it’s difficult to know if residual files are hidden on the system and able to re-infect devices. However, for network locations such as mailboxes or file shares, sometimes it is more relevant to clean those locations,remove the malicious email message from the mailbox, or remove the ransomware instructions from the file share. If you choose to clean rather than replace, continue to monitor for signatures and other IOCs to prevent the attack from re-emerging.
Kill the running processes and isolate the afflicted endpoint.
You can also Look for decryption tools available by antivirus companies like McAfee, Kaspersky, AVG etc.
such as https://noransom.kaspersky.com/
16. Restore from a clean backup
For recovery, the number one task is going to be restoring from backup. If you have those good verified backups, any ransomware event can really be made into a non-issue by simply replacing or cleaning your systems and recovering from backups. You may be down for a couple of hours because of the time required to restore from backup, but it shouldn’t be a big multi-day issue that you have to deal with.
17. Look for the infection vectorIn most ransomware investigations, you usually want to complete your recovery phase by doing a full investigation into what specific infection vector was used against the system. Was it a phishing email, or was it a web-based attack kit? If it was a web-based attack kit, how did that user get to that webpage?
Analysts have seen a number of victims where they were doing nothing more than using Google to search for self-help IT questions. When the people went to a seemingly harmless response page, they were redirected to strategically compromised websites that then infected them via the Angler exploit kit. Knowing how the ransomware came onto your system can help you better prime your defence systems and direct your detection mechanisms in the future.
18. Notify law enforcement if appropriateIf it a large organization having an incident, which caused leak of massive personal data of public or other third parties, they are required to contact the law enforcement.
19. System Restore
System Restore is “a feature in Microsoft Windows that allows the user to revert their computer’s state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems.” If the System Restore function was enabled on your infected operating system before, this method may work.
20. The No More Ransom Project
Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.
The “No More Ransom” website https://www.nomoreransom.org/ is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
Since it is much easier to avoid the threat than to fight against it once the system is affected, the project also aims to educate users about how ransomware works and what countermeasures can be taken to effectively prevent infection. The more parties supporting this project the better the results can be. This initiative is open to other public and private parties.21. AntivirusEnsure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution. Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.
22. Intrusion Prevention System (IPS)Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode. Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.
23. E-Mail GatewayEnsure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment.
24. ProxyEnsure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy.Verify last one week logs for the IOCs on Proxy and take action on sources of infection. 25. FirewallBlock the IP addresses on Perimeter Firewall. Verify logs for last one week.
26. Anti – APT SolutionsEnsure signatures are up to date. Check for possible internal sources of infection and take actions.
27. SIEMCheck logs to verify if any of the Incications Of Compromises have been detected in 1 week logs.If required, raise case with OEM for getting details. All changes to follow proper approvals and change management process. I Hope these tricks will help you stay protected against ransomware attacks! Share this article to your friends, they may need it soon!
how to prevent ransomware
free ransomware removal tool
how does ransomware work