While the world breathes a sigh of collective relief with the discovery of a kill switch that slowed down the WannaCry worm, significant risk remains. The website that activated the kill switch has come under attack, and concerns have been raised that a new version of WannaCry without the kill switch could easily be released.

We need to remain vigilant. WannaCry has demonstrated its ability to spread and infect endpoints at an alarming rate. Addressing the underlying vulnerabilities needs to be a top priority. But in parallel, we must be able to use insight from the network to detect the worm as it infiltrates and moves laterally within our networks. We must also be in a position to quickly respond to new variations as WannaCry morphs or future threats leverage similar tactics.

The Ways of the WannaCry Worm

Let’s start by understanding the basics of how WannaCry proliferates. The WannaCry worm scans the network using the Server Message Block (SMB) protocol to look for vulnerable Windows hosts. It then leverages EternalBlue, a highly potent exploit leaked by a group known as the Shadow Brokers in April 2017, to gain access and install itself on the new host.

During the install process, a Tor client is downloaded to be used for command-and-control (C&C) communications. Once running on its new host, WannaCry attempts to communicate to specific domains before it begins to encrypt files found on the device. If the communication is successful, the kill switch is activated and the ransomware does not execute.

Since it is a worm, each instance of WannaCry becomes a potential source for further infection by scanning for additional vulnerable devices over SMB and providing the multiplying factor needed for exponential growth. As a result, WannaCry was able to infect hundreds of thousands of devices within a few days.

But while the network provides the means for the worm to propagate, it also provides us with the means to quickly detect its activity and mitigate it.

Gaining Visibility With Network Insights

By leveraging IBM QRadar Network Insights, we’re able to gain deep visibility into network activity as soon as it occurs. At the most basic level, we can see all the network activity, including any using the SMB protocol. It becomes very easy to see the network scans looking for open SMB ports and detect not only the targets, but also the source, whether it’s external or already within our network and attempting to move laterally.

From there, the analysis delves much deeper by looking into the content traversing the network. For example, QRadar Network Insights detects and tracks the files being used as part of the exploit as they cross the network. Domain Name Systems (DNS) and other domain information provides further visibility into the Tor download and covert communications, and Yara rules detect various aspects of the exploit as WannaCry traverses the network.

The Never-Ending Challenge

By looking deep within network activity and content, QRadar Network Insights provides the visibility we need to detect and monitor WannaCry every step of the way. But it is even more important to remain vigilant for variations that differ from what we know now. Today, it’s SMB — tomorrow, it could just as easily be another network protocol. The exploit and tactics will likely change, too. It’s a never-ending challenge: One threat is detected and mitigated, only to re-emerge somewhere most folks aren’t looking.

We need to look everywhere, but that doesn’t mean we have to look for everything. Specifically, we must look for network behavior that is unexpected or anomalous, detect reconnaissance and lateral movement, and examine the packet content with application-level context to find what doesn’t belong. Furthermore, we must use this deep network insight to extract data that is relevant for historical analysis and threat hunting as new details of an exploit reveal themselves.

Having the right insight into network activity is the key to dealing with the continuing risks of WannaCry, and essential for preparing to quickly detect and respond to new threats as they emerge.

Read the White paper: QRadar Network Insights Delivers Real-time Insights Like Nothing Else

More from Incident Response

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read