May 13, 2017 • Resolve Staffer

Background

On Friday, May 12, 2017, large scale attacks distributing the WanaCrypt0r ransomware were launched against public and private organizations, infecting more than 230,000 computers in over 150 countries. Also known as Wanna, WannaCry or WCry, WanaCrypt0r is a worm that takes advantage of a vulnerability (CVE-2017-0147) in SMB v1 that Microsoft provided a patch for in March 2017 (MS17-010).

Propagation

A lot of misinformation about how WanaCrypt0r is propagated and circulating around the internet, namely that the ransomware is spread via typical social engineering techniques like phishing. The reality is that WanaCryptor does not require user interaction to infect a host. WanaCryptor is a ransomware payload grafted onto a vulnerability discovered by the NSA and released by the hacker group “The Shadow Brokers”. The payload contains a network scanner used to identify systems with wormable vulnerability present in SMB v1 and then self propagate. This is how the ransomware spread across the globe so quickly.

Resolve WanaCrypt0r with Intelligent Incident Response and Human-Guided Automation

Resolve Systems, an enterprise-wide Incident Response and Automation platform utilizes a unique incident resolution approach that blends together a standardized security response process with step-by-step instructions and machine assisted decision support with interactive automations as a part of the investigation and remediation process. Security analysts are in control of the process but can still leverage and execute automations as a part of the process to complete tasks.

Resolve offers a collection of security incident response playbooks that help security and IT teams implement best-in-class processes with ease. In addition to being fully customizable, our playbooks frequently include interactive automations to greatly accelerate incident diagnostics and triage.

WanaCrypt0r Detection and Triage Playbook

Description

The WannaCry ransomware attack is a ransomware computer worm (WanaCrypt0r, WannaCrypt, WannaCry, Wanna Decryptor) that targets the Microsoft Windows operating system, encrypting data and demanding ransom payments in the cryptocurrency bitcoin.

Ransomware is typically propagated using social engineering techniques such as email phishing; however, this is not the case for WanaCrypt0r. WanaCrypt0r is a ransomware worm designed to spread through local networks and remote hosts, which have not installed Microsoft patch MS17-010, to directly infect any exposed systems.

This playbook is designed to provide security teams with prescriptive guidance and automated processes based on NIST SP 800-61 r2 incident response guidance to effectively and expediently detect and triage WanaCrypt0r.

Security Incident Response Playbook Phases and Activities

Resolve WanaCrypt Triage

Preparation

  • Identify target systems and owners
  • Notify owners of WanaCrypt0r threat

Detection & Analysis

  • Identify systems missing MS17-010, have SMB v1 enabled, and open NetBIOS ports
  • Validate NetBIOS, RDP and TOR are blocked at the perimeter
  • Check for IDS/IPS for WanaCrypt0r, MS17-010 and EternalBlue alerts
  • Check web content filter for traffic to WanaCrypt0r kill-switch domains
  • Conduct hunt for WanaCrypt0r IOCs

Containment, Eradication & Recovery

  • Block NetBIOS, RDP, and TOR on perimeter firewall
  • Isolate systems containing WanaCrypt0r IOCs or communicating to kill-switch domains
  • Eradicate infection with anti-malware or recover from backup
  • Disable SMB v1 on vulnerable systems
  • Deploy MS17-010 to vulnerable systems
  • Deploy WanaCrypt0r IOCs to prevent binary execution

Post-Incident Activity

  • Conduct incident review and lessons learned
  • Implement updated policies
Resolve Staffer

About the Author, Resolve Staffer:

This post was written by one of the awesome contributors on the Resolve team.