Blog - article

Vectra detection and response to WannaCry ransomware

Vectra detection and response to WannaCry ransomware

Vectra detection and response to WannaCry ransomware

Chris Morales
May 16, 2017

Vectra Threat Labs analyzed the WannaCry ransomware to understand its inner workings. They learned that while the way it infects computers is new, the behaviors it performs are business as usual.

WannaCry and its variants behave similarly to other forms of ransomware that Vectra has detected and enabled customers to stop before experiencing widespread damage. This is a direct benefit of focusing on detecting ransomware behaviors rather than specific exploits or malware. Many of WannaCry’s behaviors are reconnaissance and lateral movement on the internal network, within the enterprise perimeter.

The information below describes the Vectra detections related to WannaCry and its variants operating in a network and how they enable enterprises to respond rapidly.

Will Vectra detect Wannacry and its variants?

Yes. Vectra will detect active WannaCry ransomware in your network as well as variants. It is important to remember that before ransomware can encrypt files, it needs to locate file shares on the network. This requires performing internal reconnaissance. Vectra is able to detect reconnaissance behavior and triage all the behaviors associated to infected hosts. Host infected with ransomware represent a critical risk and these behaviors receive the highest threat and certainy scores to prioritize those hosts for immediate incident response.

The best part is, Vectra customers had this detection before WannaCry struck.

The Vectra security research and artificial intelligence teams have determined that infected hosts are likely to exhibit the following behaviors:

  • Command and control communication over the TOR network.
  • Sweeping the internal network and the Internet on port 445 for computers with the vulnerability MS17-010.
  • Automated replication of malware once a machine with vulnerability MS17-010 has been found.
  • Encryption of files on local and mapped network file shares.

How can I improve the response to WannaCry and its variants?

We recommend configuring email alerts specific to the attacker behavior detections related to WannaCry and its variants to help prioritize the investigation.

Vectra found giving high priority to activity on port 445 provides early indicators of an attack:

  • Outbound Port Sweep
  • Port Sweep
  • Internal Darknet Scan
  • Automated Replication
  • Ransomware file activity
  • File Share enumeration

Alerting on all TOR Activity detections is also recommended. The Onion Router (TOR) is not a tool commonly used in enterprises organizations and it is quite often an indicator of someone trying to hide their location and activity. TOR activity is often a reason to investigate possible nefarious behavior.

A result of scoring all attacker behavior detections for threat level and certainty, you are able to quickly prioritize hosts for incident response by selecting the thresholds for email alerts.

What do I need to do to respond to a detected attack?

Vectra puts all of the information at a security analysts fingertips to make an informed decision. If Vectra detects one or more of these attacker behaviors on a host, you can select to automate one of several actions, depending on the threat level and your internal policy.

  1. Quarantine or remove the host from the network. WannaCry has shown viral or wormlike spreading tendencies. Isolating a host from the network is the quickest way to halt its spread.
  2. Quarantine all of the hosts listed as destination IP addresses in an Automated Replication detection if they were contacted by a host suspected of WannaCry infection.
  3. Reimage infected hosts and restore files from an offline backup to avoid reinfection.
  4. In the case of a ransomware file activity detection, restore encrypted files on the file shares from an offline backup.

What next?

This is only one of many more attacks to come. They will have different names and use different exploits. What isn’t changing is the nature of attacks and their behavior. While we don’t know what exactly the next big attack will be, we do know you need to be ready for it. And you need help. Advances in AI are allowing technology to augment security teams, and there needs to be a shift in the industry to identifying attacker behavior in real time.

Join our webinar on May 17, 2017 and learn about Vectra can augment your security team to respond the WannaCry attack and its variants, and how Vectra Networks automates the hunt for hidden cyber attacks to make incident respond faster and more efficient for future attacks.

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author


Most attacks against energy and utilities occur in the enterprise IT network

November 1, 2018
Read blog post
Security operations

2018 Black Hat Superpower Survey: It's about time and talent

August 22, 2018
Read blog post
Threat detection

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

August 8, 2018
Read blog post