While the world breathes a sigh of collective relief with the discovery of a kill switch that slowed down the WannaCry worm, significant risk remains. The website that activated the kill switch has come under attack, and concerns have been raised that a new version of WannaCry without the kill switch could easily be released.
We need to remain vigilant. WannaCry has demonstrated its ability to spread and infect endpoints at an alarming rate. Addressing the underlying vulnerabilities needs to be a top priority. But in parallel, we must be able to use insight from the network to detect the worm as it infiltrates and moves laterally within our networks. We must also be in a position to quickly respond to new variations as WannaCry morphs or future threats leverage similar tactics.
The Ways of the WannaCry Worm
Let’s start by understanding the basics of how WannaCry proliferates. The WannaCry worm scans the network using the Server Message Block (SMB) protocol to look for vulnerable Windows hosts. It then leverages EternalBlue, a highly potent exploit leaked by a group known as the Shadow Brokers in April 2017, to gain access and install itself on the new host.
During the install process, a Tor client is downloaded to be used for command-and-control (C&C) communications. Once running on its new host, WannaCry attempts to communicate to specific domains before it begins to encrypt files found on the device. If the communication is successful, the kill switch is activated and the ransomware does not execute.
Since it is a worm, each instance of WannaCry becomes a potential source for further infection by scanning for additional vulnerable devices over SMB and providing the multiplying factor needed for exponential growth. As a result, WannaCry was able to infect hundreds of thousands of devices within a few days.
But while the network provides the means for the worm to propagate, it also provides us with the means to quickly detect its activity and mitigate it.
Gaining Visibility With Network Insights
By leveraging IBM QRadar Network Insights, we’re able to gain deep visibility into network activity as soon as it occurs. At the most basic level, we can see all the network activity, including any using the SMB protocol. It becomes very easy to see the network scans looking for open SMB ports and detect not only the targets, but also the source, whether it’s external or already within our network and attempting to move laterally.
From there, the analysis delves much deeper by looking into the content traversing the network. For example, QRadar Network Insights detects and tracks the files being used as part of the exploit as they cross the network. Domain Name Systems (DNS) and other domain information provides further visibility into the Tor download and covert communications, and Yara rules detect various aspects of the exploit as WannaCry traverses the network.
The Never-Ending Challenge
By looking deep within network activity and content, QRadar Network Insights provides the visibility we need to detect and monitor WannaCry every step of the way. But it is even more important to remain vigilant for variations that differ from what we know now. Today, it’s SMB — tomorrow, it could just as easily be another network protocol. The exploit and tactics will likely change, too. It’s a never-ending challenge: One threat is detected and mitigated, only to re-emerge somewhere most folks aren’t looking.
We need to look everywhere, but that doesn’t mean we have to look for everything. Specifically, we must look for network behavior that is unexpected or anomalous, detect reconnaissance and lateral movement, and examine the packet content with application-level context to find what doesn’t belong. Furthermore, we must use this deep network insight to extract data that is relevant for historical analysis and threat hunting as new details of an exploit reveal themselves.
Having the right insight into network activity is the key to dealing with the continuing risks of WannaCry, and essential for preparing to quickly detect and respond to new threats as they emerge.