The recent WannaCry ransomware cyber-attacks have wreaked havoc on thousands of organizations worldwide.  According to the reports, over 200,000 systems in more than 150 countries were infected in the attack.

Verint is closely monitoring the situation and updating our customers to make sure they have the best protection possible. Analysis into the behavior of the WannaCry ransomware, conducted by the Verint Cyber Research Lab, reveals the following attack storyline:

wcrp5
WannaCry Attack Storyline

From the analysis of the WannaCry malware it is clear that while a phishing campaign may have been the cause for the initial infiltration of networks around the globe, there were additional attack vectors at play causing the virus to spread as it did. To detect complex attacks it’s important cover all of its’ dimensions – the attack vectors, the infrastructure layers, and the stages in the kill chain. For advanced threats, it is essential to cover the trickier parts of the attack chain including C&C and lateral movement.

WannaCry Ransomware Screenshot

Verint Threat Protection System (TPS) utilizes its sensors deployed across the attack chain, network and endpoints, working together to provide the complete attack storyline of complex threats. Monitoring and identifying the attack along any of the WannaCry attack stages detailed in the attack storyline above (1-6), can help mitigate and contain future attacks as follows:

  • Multiple malicious file detection techniques including static file analysis, dynamic memory analysis and antivirus inspecting email attachments.
    • Targeting one of the possible delivery mechanisms for the WannaCry malware, unpacking the zip file attached to the phishing emails (1) will reveal and block the executable file
  • Monitoring network traffic for suspicious communications with external servers and malicious domains based on reputation.
    • In cases where the delivery mechanism is based on malicious PDF files, communication attempts with known infection sites (2), and HTTP download of WannaCry ransomware can be detected and acted upon
    • Once executed, the malware’s initial communication attempts with the “kill switch” domains (3) can be detected, and the infected endpoint blocked
    • Command & Control encrypted communications over TOR (4) can be detected based signature and/or behavioral and blocked
  • Full endpoint monitoring for malicious files, processes, registry changes, communications and memory can identify the malware operating on the endpoint.
    • Once triggered, the WannaCry encryption process (5) can be detected and blocked
  • Analyzing internal network traffic for lateral movements.
    • Multiple SMB communications (6) originating from the infected endpoint (utilizing the EternalBlue exploit) can be detected and acted upon

In anticipation of future attacks, organizations clearly need to update perimeter defenses, ensure that all the latest security updates are implemented on the organizational systems, and guide employees to avoid opening suspicious email attachments and clicking on links sent from unknown sources.

But, assuming attackers will eventually find a way through these defenses, a holistic approach to detection and response, covering multiple attack vectors, is the next logical step.  A complete solution must automate the investigation process on every alarm and monitor endpoints, internal and external network traffic, emails and files, in order to contain future attacks before serious damage is done.