Recommendations and Best Practices for Ransomware WannaCry

The massive attack last Friday, May 12, is now globally known. A ransomware known as WannaCry/WannaCrypt0r has spread worldwide, exploiting a vulnerability published by Microsoft on March 14, 2017, described in the bulletin as MS17-010 and known as “EternalBlue.”

How has it spread?
WannaCry acts similarly to a worm, meaning it tries to spread through the network. To do this, it exploits an SMB vulnerability “EternalBlue” (with CVE-2017-0145) that affects messages from version 1 of SMB (SMBv1). It scans both the internal and external network, making connections on port 445 in search of unupdated computers.

What are the causes of its infection?
When the malicious code has been executed on the infected PC, WannaCry checks if a specific domain exists on the Internet; if it does, it ends its execution. If it does not exist, it begins its task by creating system services, entries in the Windows registry, several threads for different tasks, and finally encrypts all the files found that meet an extension pattern in all the units it finds in the infected system. Meanwhile, it proceeds to infect new machines as explained in the previous point.

Is it still spreading?
At the moment, its spread has been partially stopped, since the domain to which WannaCry makes requests has been registered, thanks to a cybersecurity researcher, who was the one who registered this domain.

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

— MalwareTech (@MalwareTechBlog) May 13, 2017

However, it is important to be prepared, as there is talk of new versions where there is no “kill switch.”

Can it affect my plant PCs?
The answer is yes; in fact, these are the PCs that tend to be more vulnerable, due to the lack of updating and patching they suffer, and the widespread use of old operating systems.

All versions of Windows up to Windows 8 and WServer 2012 are vulnerable without the patch. That includes all Windows Server 2003, Windows Server 2008, Windows Vista, XP, and Windows 7. OS widely extended in the plant and in which the automatic update of patches tends to be deactivated.

What should I do?
Below, the actions are separated into two blocks: prevention and detection.

1. Prevention Actions
a. Immediately install the Microsoft patch for the MS17-010 vulnerability:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
b. Disable old protocols including SMBv1.
c. Block incoming connections to SMB ports (139 and 445) from computers external to the network.
d. Isolate as much as possible computers that are Windows unsupported.
e. Update the signature databases of antivirus systems.
f. Perform backups of the systems, and have them updated.
g. Deploy specific protection to endpoints that cannot be patched.
h. Do not use accounts with administrator permissions.

2. Detection Actions
a. Deploy IDS/IPS systems on the network, with updated signatures, for the detection of “EternalBlue.”
b. Verify that the endpoints have the latest signatures.
c. Verify that there is no TOR traffic on our network; this could indicate an infection.
d. Check the DNS log for traces related to the malware.

What best practices can I adopt to prevent Ransomware?
Finally, and directly extracted from the document “Buenas Prácticas CCN-CERT BP-04/16” of the CCN-Cert, since it seems very complete to me, a series of good practices are exposed below, which it is recommended to always take into account as far as possible to prevent the infection and spread of ransomware.

1. Maintain periodic backups of all important data. It is necessary to keep these copies isolated and without connectivity to other systems,
   thus avoiding access from infected computers.
2. Keep the system updated with the latest security patches, both for the operating system and for the software that has been installed.
3. Maintain a first line of defense with the latest malicious code signatures (antivirus), in addition to having a correct configuration of the
   firewalls at the application level (based on whitelists of allowed applications).
4. Have antispam systems at the email level and establish a high filtering level; in this way, the chances of infection through
   massive ransomware campaigns by email are reduced.
5. Establish security policies in the system to prevent the execution of files from directories commonly used by ransomware (App Data,
   Local App Data, etc.). Tools such as AppLocker, Cryptoprevent, or CryptoLocker Prevention Kit allow you to easily create these policies.
6. Block traffic related to C2 domains and servers through an IDS/IPS, thus avoiding communication between the malicious code and the command and control server.
7. Establish an in-depth defense using tools such as EMET, a solution that allows mitigating exploits (including 0-days).
   Do not use accounts with administrator privileges, reducing the potential impact of the action of a ransomware.
8. Maintain access control lists for network-mapped drives. In case of infection, the encryption will occur on all network drives
   mapped on the victim’s computer. Restricting write privileges on the network will partially mitigate the impact
9. The use of Javascript blockers for the browser is recommended, such as “Privacy Manager”, which prevents the execution of all those
   scripts that may cause damage to our computer. In this way, we will reduce the options of infection from the web (Web Exploit Kits).
10. Show extensions for known file types, in order to identify possible executable files that could pass themselves off as another type of file.

Additionally, it is recommended to install the tool “Anti Ransom”, which will try to block the encryption process of a ransomware (monitoring “honey files”). In addition, this application will perform a memory dump of the malicious code at the time of its execution, in which, with luck, the encryption key that was being used can be found.

Finally, the use of virtual machines will avoid infection by ransomware in a high percentage of cases. Due to the anti-debug and anti-virtualization techniques commonly present in this type of malicious code, it has been shown that in a virtualized environment its action does not materialize.

As a final conclusion, it is important to keep in mind that new attacks are expected, and that for this reason the adoption of security measures is important to prevent and detect this type of attack. In addition, it is important to add that the human factor plays a crucial role, since social engineering tends to be one of the key factors.