On Friday, May 12, 2017, large scale attacks distributing the WanaCrypt0r ransomware were launched against public and private organizations, infecting more than 230,000 computers in over 150 countries. Also known as Wanna, WannaCry or WCry, WanaCrypt0r is a worm that takes advantage of a vulnerability (CVE-2017-0147) in SMB v1 that Microsoft provided a patch for in March 2017 (MS17-010).
A lot of misinformation about how WanaCrypt0r is propagated and circulating around the internet, namely that the ransomware is spread via typical social engineering techniques like phishing. The reality is that WanaCryptor does not require user interaction to infect a host. WanaCryptor is a ransomware payload grafted onto a vulnerability discovered by the NSA and released by the hacker group “The Shadow Brokers”. The payload contains a network scanner used to identify systems with wormable vulnerability present in SMB v1 and then self propagate. This is how the ransomware spread across the globe so quickly.
Resolve Systems, an enterprise-wide Incident Response and Automation platform utilizes a unique incident resolution approach that blends together a standardized security response process with step-by-step instructions and machine assisted decision support with interactive automations as a part of the investigation and remediation process. Security analysts are in control of the process but can still leverage and execute automations as a part of the process to complete tasks.
Resolve offers a collection of security incident response playbooks that help security and IT teams implement best-in-class processes with ease. In addition to being fully customizable, our playbooks frequently include interactive automations to greatly accelerate incident diagnostics and triage.
The WannaCry ransomware attack is a ransomware computer worm (WanaCrypt0r, WannaCrypt, WannaCry, Wanna Decryptor) that targets the Microsoft Windows operating system, encrypting data and demanding ransom payments in the cryptocurrency bitcoin.
Ransomware is typically propagated using social engineering techniques such as email phishing; however, this is not the case for WanaCrypt0r. WanaCrypt0r is a ransomware worm designed to spread through local networks and remote hosts, which have not installed Microsoft patch MS17-010, to directly infect any exposed systems.
This playbook is designed to provide security teams with prescriptive guidance and automated processes based on NIST SP 800-61 r2 incident response guidance to effectively and expediently detect and triage WanaCrypt0r.
Preparation
Where is automation heading? Business leaders track the latest trends.
Learn how Resolve addresses alert overload with auto-remediation