How to Stop WannaCrypt Infections with the Cato Cloud

What’s being called the “largest” ransomware attack in history and an “audacious global blackmail attempt,” WannaCrypt broke out Friday evening. In a matter of hours, the ransomware has swept across 45,000 computers in 74 countries.

Like many ransomware attacks, WannaCrypt leverage phishing as an attack vector. But what makes the attack so unusually virulent is how it exploits a vulnerability in the Windows SMB protocol. SMB is used by Windows machines for sharing files and the ransomware uses SMB to spread to other vulnerable devices on a network.

IT managers should take immediate action to protect their users and networks against the ransomware, whose technical name is WCry and has also been referenced by names such as WannaCry, WanaCrypt0r, and Wana Decrypt0r. All Windows-based machines should be updated including industrial devices, such as ATMs, and Windows 10 devices, which were not targeted, by the attack. Detailed steps are provided below.

Attack Vectors

What’s particularly interesting about WannaCrypt is that it uses an “EternalBlue,” an alleged NSA attack that was leaked last month.

EternalBlue exploits the vulnerability in Server Message Block (SMB) version 1 (SMBv1) protocol to spread between machines. More specifically, the attack exploits a vulnerability in the way an SMBv1 server handles certain requests.  By sending an SMBv1 server a specially crafted packet, an attacker could cause the server to disclose information and, at its worst, allow for remote code execution.

Once installed, the ransomware encrypts the files on the machine. Victims are asked to pay $300 to remove the infection (see Figure 1). Some WannaCrypt actors are also dropping “DoublePulsar” onto the machines. DoublePulsar is a “malware loader” used by attackers to download and install other malware.

Figure 1: Sample WannaCrypt screen

The attack was thought to be mitigated by a “killswitch” discovered by a security researcher last week. The security researcher registered a domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com) called by the malware. Seeing a registered domain, the malware stopped its operation.

IT managers should remain vigilant, though. The threat could be easily changed to use a different domain. To date, no such variant has been found, despite earlier claims to the contrary.

What You Can Do

Cato Research recommends that all organizations update their Windows machines (including those running XP and other, unsupported Microsoft versions). Due to the scale of the attack, Microsoft took the unusual step of releasing a patch for older, unsupported Windows versions. The  Microsoft Research team says Windows 10 customers were not targeted by the attack, but the operating system is still vulnerable and should be updated.

In the near term, Cato customers should take four actions until they are certain all systems have been updated and the attack subsides:

  • Use URL Filtering to stop phishing efforts.
  • Disrupt WannaCrypt communications with the Internet Firewall.
  • Scan incoming files with Threat Protection.

Cato customer can stop the phishing vector by immediately enabling URL filtering (Figure 2) and configuring application control policies. Any unknown domain access should be blocked until all systems are updated and attack is over, which is likely to last another week or so.

Figure 2: IT should block access to unknown domain by enabling URL filtering in Cato

Application control should be used to block access to TOR nodes, preventing the malware from communicating back to the C&C server (Figure 3).

Figure 3: By configuring Cato’s Internet Firewall to block TOR traffic, IT managers disrupt communications back to C&C servers.

Threat protection should also be enabled to scan every download and payload (Figure 4).

Figure 4: Cato threat protection blocks infected files and messages


Read more about ‘How to Stop NotPerya