Remain calm and batten down the hatches
You’ve likely heard of the “WannaCry” ransomware, which has already caused mayhem since it appeared in the wild recently. Ransomware is not a new phenomenon and here at Corvil, we’ve been helping clients tackle Ransomware infections for some time, but this particular WannaCry strain has a unique combination of capabilities that make it extremely dangerous. Most significantly, this strain combines the common capabilities of ransomware (file encryption, bitcoin as payment method, Tor usage for anonymization) with the capabilities of a worm (rapid, continuous, automated spread of infection from host to host). This means if an organization is unfortunate enough to have an infected host appear on their network, the end result could be as severe as an organization-wide take down of all connected Windows hosts on the network and more critically, significant loss of invaluable and sensitive data.
Prevention is always better than cure so firstly verify that firewalls are blocking off external traffic over SMB ports 139 and 445 to help mitigate the risk of this ransomware strain getting a foothold. Also, with urgency, ensure Windows-based hosts are patched, or even consider disabling their usage of SMB v1, if it is not needed.
Turn on the lights and secure from within
Effective cyber security is all about layered defense since we know there is a high likelihood that threats such as WannaCry will manage to find their way past the first lines of defense eventually. A good example of how this can occur is an unmanaged (no IT deployed anti-malware software and missing latest windows patches), infected laptop connecting directly to the corporate network.
For this reason, it is essential to continuously monitor for early warning indicators of malicious activity on internal networks. This way, if it does appear, Security and IT teams will be in a position to respond fast, minimizing the disastrous impact this threat is capable of.
So what WannaCry tell-tale signs can be monitored for?
It is essential that if such signs are detected, Security and IT teams are capable of responding rapidly to understand the bigger picture of which hosts are infected, what other malicious activity may be occurring on those hosts and what data has been encrypted. Lastly, in the worst case scenario of critical files being encrypted and backups are not available, IT teams may need a last lifeline way to recover them.
How Corvil can help
Within minutes of deployment, Corvil performs comprehensive automated real-time decoding and analytics of internal network traffic, which gives Security and IT teams unique benefits when it comes to mitigating the risks associated with WannaCry:
|Challenge||How Corvil Helps|
|Find unpatched/unmanaged Windows hosts that are vulnerable to compromise.||Automatic discovery and traffic analysis for all hosts on the network that are involved in SMB-based conversations. This enables swift identification of misconfigured or rogue hosts which become an entry point for this threat.|
|Early warning of malicious activity on the network.||Corvil can detect and alert on any host attempting to:
|If infections occur, rapid investigation is critical, so the full extent of impact can be understood.||With a real time view into activity happening on the network and a record of past activity, Corvil quickly provides insights into which other hosts on the network the infected hosts have communicated with and are currently communicating with.|
|Critical files were encrypted and we have no backups, help!||Corvil can automatically capture and store a copy of the original files (in packet form) from just before they were encrypted across the network. This enables file recovery should other recovery options fail.|
The sudden emergence, rapid evolution and hard-hitting impact of the WannaCry ransomware strain underscores the fact that real-time visibility and effective early detection of lateral attack movement on internal networks is essential.
Here at Corvil, we’re committed to helping our clients stay one step ahead of threats such as WannaCry, to ensure they can effectively secure from within. If you are a Corvil client and would like to inquire about of these detection capabilities, please contact your local Corvil representative.