Vectra Threat Labs analyzed the WannaCry ransomware to understand its inner workings. They learned that while the way it infects computers is new, the behaviors it performs are business as usual.
WannaCry and its variants behave similarly to other forms of ransomware that Vectra has detected and enabled customers to stop before experiencing widespread damage. This is a direct benefit of focusing on detecting ransomware behaviors rather than specific exploits or malware. Many of WannaCry’s behaviors are reconnaissance and lateral movement on the internal network, within the enterprise perimeter.
The information below describes the Vectra detections related to WannaCry and its variants operating in a network and how they enable enterprises to respond rapidly.
Will Vectra detect Wannacry and its variants?
Yes. Vectra will detect active WannaCry ransomware in your network as well as variants. It is important to remember that before ransomware can encrypt files, it needs to locate file shares on the network. This requires performing internal reconnaissance. Vectra is able to detect reconnaissance behavior and triage all the behaviors associated to infected hosts. Host infected with ransomware represent a critical risk and these behaviors receive the highest threat and certainty scores to prioritize those hosts for immediate incident response.
The best part is, Vectra customers had this detection before WannaCry struck.
The Vectra security research and artificial intelligence teams have determined that infected hosts are likely to exhibit the following behaviors:
- Command and control communication over the TOR network.
- Sweeping the internal network and the Internet on port 445 for computers with the vulnerability MS17-010.
- Automated replication of malware once a machine with vulnerability MS17-010 has been found.
- Encryption of files on local and mapped network file shares.
How can I improve the response to WannaCry and its variants?
We recommend configuring email alerts specific to the attacker behavior detections related to WannaCry and its variants to help prioritize the investigation.
Vectra found giving high priority to activity on port 445 provides early indicators of an attack:
- Outbound Port Sweep
- Port Sweep
- Internal Darknet Scan
- Automated Replication
- Ransomware file activity
- File Share enumeration
Alerting on all TOR Activity detections is also recommended. The Onion Router (TOR) is not a tool commonly used in enterprises organizations and it is quite often an indicator of someone trying to hide their location and activity. TOR activity is often a reason to investigate possible nefarious behavior.
A result of scoring all attacker behavior detections for threat level and certainty, you are able to quickly prioritize hosts for incident response by selecting the thresholds for email alerts.
What do I need to do to respond to a detected attack?
Vectra puts all of the information at a security analysts fingertips to make an informed decision. If Vectra detects one or more of these attacker behaviors on a host, you can select to automate one of several actions, depending on the threat level and your internal policy.
- Quarantine or remove the host from the network. WannaCry has shown viral or wormlike spreading tendencies. Isolating a host from the network is the quickest way to halt its spread.
- Quarantine all of the hosts listed as destination IP addresses in an Automated Replication detection if they were contacted by a host suspected of WannaCry infection.
- Reimage infected hosts and restore files from an offline backup to avoid reinfection.
- In the case of a ransomware file activity detection, restore encrypted files on the file shares from an offline backup.
This is only one of many more attacks to come. They will have different names and use different exploits. What isn’t changing is the nature of attacks and their behavior. While we don’t know what exactly the next big attack will be, we do know you need to be ready for it. And you need help. Advances in AI are allowing technology to augment security teams, and there needs to be a shift in the industry to identifying attacker behavior in real time.