While the world breathes a sigh of collective relief with the discovery of a kill switch that slowed down the WannaCry worm, significant risk remains. The website that activated the kill switch has come under attack, and concerns have been raised that a new version of WannaCry without the kill switch could easily be released.

We need to remain vigilant. WannaCry has demonstrated its ability to spread and infect endpoints at an alarming rate. Addressing the underlying vulnerabilities needs to be a top priority. But in parallel, we must be able to use insight from the network to detect the worm as it infiltrates and moves laterally within our networks. We must also be in a position to quickly respond to new variations as WannaCry morphs or future threats leverage similar tactics.

The Ways of the WannaCry Worm

Let’s start by understanding the basics of how WannaCry proliferates. The WannaCry worm scans the network using the Server Message Block (SMB) protocol to look for vulnerable Windows hosts. It then leverages EternalBlue, a highly potent exploit leaked by a group known as the Shadow Brokers in April 2017, to gain access and install itself on the new host.

During the install process, a Tor client is downloaded to be used for command-and-control (C&C) communications. Once running on its new host, WannaCry attempts to communicate to specific domains before it begins to encrypt files found on the device. If the communication is successful, the kill switch is activated and the ransomware does not execute.

Since it is a worm, each instance of WannaCry becomes a potential source for further infection by scanning for additional vulnerable devices over SMB and providing the multiplying factor needed for exponential growth. As a result, WannaCry was able to infect hundreds of thousands of devices within a few days.

But while the network provides the means for the worm to propagate, it also provides us with the means to quickly detect its activity and mitigate it.

Gaining Visibility With Network Insights

By leveraging IBM QRadar Network Insights, we’re able to gain deep visibility into network activity as soon as it occurs. At the most basic level, we can see all the network activity, including any using the SMB protocol. It becomes very easy to see the network scans looking for open SMB ports and detect not only the targets, but also the source, whether it’s external or already within our network and attempting to move laterally.

From there, the analysis delves much deeper by looking into the content traversing the network. For example, QRadar Network Insights detects and tracks the files being used as part of the exploit as they cross the network. Domain Name Systems (DNS) and other domain information provides further visibility into the Tor download and covert communications, and Yara rules detect various aspects of the exploit as WannaCry traverses the network.

The Never-Ending Challenge

By looking deep within network activity and content, QRadar Network Insights provides the visibility we need to detect and monitor WannaCry every step of the way. But it is even more important to remain vigilant for variations that differ from what we know now. Today, it’s SMB — tomorrow, it could just as easily be another network protocol. The exploit and tactics will likely change, too. It’s a never-ending challenge: One threat is detected and mitigated, only to re-emerge somewhere most folks aren’t looking.

We need to look everywhere, but that doesn’t mean we have to look for everything. Specifically, we must look for network behavior that is unexpected or anomalous, detect reconnaissance and lateral movement, and examine the packet content with application-level context to find what doesn’t belong. Furthermore, we must use this deep network insight to extract data that is relevant for historical analysis and threat hunting as new details of an exploit reveal themselves.

Having the right insight into network activity is the key to dealing with the continuing risks of WannaCry, and essential for preparing to quickly detect and respond to new threats as they emerge.

Read the White paper: QRadar Network Insights Delivers Real-time Insights Like Nothing Else

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…