Wanna Cry? The anatomy of the recent attack
  • Table of contents

The author

user_image
Gil

Table of contents

Related Articles

Research

Facebook Hidden Friends Vulnerability (With “fb-hfc” released)

We reported the hidden friends vulnerability to Facebook; this lets attackers reconstruct the private Friends...
May 29, 2014
Learn more
Tech Talks

Welcome to The Cyber Feed

Over the past three decades, IT security solutions have developed to effectively secure most networks...
Jun 30, 2015
Learn more
Tech Talks

Wanna Cry? The anatomy of the recent attack

May 18, 2017

Last weekend, in the biggest attack of its kind ever recorded, the ransomware known as WannaCry/WanaCrypt0r 2.0 has swept organizations of all shapes and sizes across 167 countries.

WannaCry was designed to exploit vulnerabilities in poorly maintained IT systems running outdated software. Perhaps, the most shocking revelation is the fact that numerous organizations, including in healthcare and telecom sectors such as Britain’s NHS and Spain’s Telefonica, have failed implement the ABC’s of cybersecurity to protect themselves from cyberattacks. WannaCry attack could have been easily prevented by implementing basic cybersecurity procedures, such as keeping the security patches up to date.

Despite escalating ransomware attacks over the last year, organisations have been slow to update the cyber security or take basic precautions.

Friday’s attacks should be seen as a wake-up call. Perhaps more than anything else, the recent ransomware onslaught is a resounding reminder of the importance of threat intelligence and cyber-readiness for organizations of all shapes and sizes.

The exploit has been known for a while

The vulnerability has been known to cybersecurity professionals for a couple of months. The patch was released by Microsoft in March this year. And yet, many organizations have failed to install the necessary updates on their Windows systems.

The anatomy of the attack

From our CyberOPS team’s initial assessment of the ransomware campaign, the original infection method appears to be via a JS file that triggers a Dropper from several locations in the Tor network.

The infecting URL is (“http://www{}iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea{}com“).

After the infection takes place the Ransomware leverages the Microsoft Windows vulnerability MS17-010 to propagate in the network.

MS17-010 covers six separate remote code execution vulnerabilities in Windows SMB. For more details, please follow this link to Microsoft information on the MS17-010: https://technet.microsoft.com/enus/library/security/ms17-010.aspx

The published exploit allows 6 different types RCE attacks against SMB V1 &2.

How companies can protect themselves?

Back to the basics

Here are the basic precautions to avoid becoming a victim of a WannaCry-like ransomware attack:

  1. Anti-Virus  software must be up to date and fully functioning.
  2. OS and Security systems updates – the operation system and all security systems must be up to date with the latest security updates.
  3. Mail server policy – Block emails with: CAB, MSI, EXE, SCR, BAT, ZIP, RAR attachments.
  4. Employee awareness – with awareness training you can prevent most of the phishing and websites infections.
  5. Advertiser block – use a third party software to prevent accidently clicking a malware popup.
  6.  Use internet explorer 11+ smart-screen and other security add-ons, it is slower but safer than ChromeFirefox.
  7. Backups – the most important of all, backup your data on external storage. Having a viable backup will enable a successful incident response, leaving attackers high and dry and unable to collect money for their evil doings.

Going beyond the perimeter

Aside from carrying out basic security procedures to safeguard the traditional security perimeters of their IT systems, organisations must extend their cybersecurity efforts beyond the perimeter

Illuminating The Dark Web

The malicious software used to execute last Friday’s widespread cyberattack was easily available on the Dark Web. Shadow Brokers, the notorious hacker collective, have claimed earlier this year that they had acquired “a cyber weapon” from a US government agency.

The Dark Web is filled with hackers offering malware for sale. Some are so sophisticated they even have 24-hour helplines to help cyber criminals deploy the illicit software. Combined this with the extensive hacking capabilities of threat actor groups such as Lazarus and you get one of the largest cyber attacks the world has ever seen.

The importance of scanning the Dark Web for threat intelligence cannot be underestimated. Often, companies are even unaware that their stolen data is being openly traded on the Dark Web until they are informed by third parties.

The WannaCry massive attack should truly be a wake-up call for organizations of all sizes. It is time to take cybersecurity off the backburner, and make sure that all your bases are covered.  For more information about what can be done to prevent ransomware attacks against your organization, download the full report.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start