Vectra Threat Labs analyzed the WannaCry ransomware to understand its inner workings. They learned that while the way it infects computers is new, the behaviors it performs are business as usual.
WannaCry and its variants behave similarly to other forms of ransomware that Vectra has detected and enabled customers to stop before experiencing widespread damage. This is a direct benefit of focusing on detecting ransomware behaviors rather than specific exploits or malware. Many of WannaCry’s behaviors are reconnaissance and lateral movement on the internal network, within the enterprise perimeter.
The information below describes the Vectra detections related to WannaCry and its variants operating in a network and how they enable enterprises to respond rapidly.
Will Vectra detect Wannacry and its variants?
Yes. Vectra will detect active WannaCry ransomware in your network as well as variants. It is important to remember that before ransomware can encrypt files, it needs to locate file shares on the network. This requires performing internal reconnaissance. Vectra is able to detect reconnaissance behavior and triage all the behaviors associated to infected hosts. Host infected with ransomware represent a critical risk and these behaviors receive the highest threat and certainy scores to prioritize those hosts for immediate incident response.
The best part is, Vectra customers had this detection before WannaCry struck.
The Vectra security research and artificial intelligence teams have determined that infected hosts are likely to exhibit the following behaviors:
How can I improve the response to WannaCry and its variants?
We recommend configuring email alerts specific to the attacker behavior detections related to WannaCry and its variants to help prioritize the investigation.
Vectra found giving high priority to activity on port 445 provides early indicators of an attack:
Alerting on all TOR Activity detections is also recommended. The Onion Router (TOR) is not a tool commonly used in enterprises organizations and it is quite often an indicator of someone trying to hide their location and activity. TOR activity is often a reason to investigate possible nefarious behavior.
A result of scoring all attacker behavior detections for threat level and certainty, you are able to quickly prioritize hosts for incident response by selecting the thresholds for email alerts.
What do I need to do to respond to a detected attack?
Vectra puts all of the information at a security analysts fingertips to make an informed decision. If Vectra detects one or more of these attacker behaviors on a host, you can select to automate one of several actions, depending on the threat level and your internal policy.
What next?
This is only one of many more attacks to come. They will have different names and use different exploits. What isn’t changing is the nature of attacks and their behavior. While we don’t know what exactly the next big attack will be, we do know you need to be ready for it. And you need help. Advances in AI are allowing technology to augment security teams, and there needs to be a shift in the industry to identifying attacker behavior in real time.
Join our webinar on May 17, 2017 and learn about Vectra can augment your security team to respond the WannaCry attack and its variants, and how Vectra Networks automates the hunt for hidden cyber attacks to make incident respond faster and more efficient for future attacks.
Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.