Scribd Logo
Upload

Welcome to Scribd!

  • Ransomware WannaCry-V0

    Uploaded by

    losamigosfc
    40 views27 pages
    wannacry

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    wannacry

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    40 views27 pages

    Ransomware WannaCry-V0

    Uploaded by

    losamigosfc
    wannacry

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 27

    Ransomware WannaCry

    Incident Response
    Fernando Zamai
    fzamai@cisco.com
    Advanced Threat Solutions
    Ransomware: Easy Profits

    • Most profitable malware in history


    • Lucrative: Direct payment to attackers!
    • Cyber-criminals collected $209 million
    in the first three months of 2016
    • At that rate, ransomware is on pace to
    be a $1 billion a year crime this year.
    • Let’s take an example:
    • Looking only at the Angler exploit kit
    delivering ransomware
    • $60 million dollars a year in profits
    Remember SamSam?
    • Affected hospitals in the
    United States in March
    2016
    • Targeted vulnerable JBoss
    servers
    How Ransomware Works
    IP
    URL
    WEB Domain
    @email
    AS Number
    User Clicks a Link Name Server
    or Malvertising

    EMAIL
    !

    Email w/ Malicious Malicious Ransomware Encryption Key Files


    Attachment Infrastructure Payload C2 inaccessible
    Infrastructure
    Ransomware Sample – video capture by Threatgrid
    WanaCry
    Explore a know windows vulnerability

    • Affects ALL Windows versions - Workstation and Servers


    WannaCry is spreading like a worm

    WEB

    User Clicks a Link


    or Malvertising

    EMAIL
    !

    Email w/ Malicious Malicious Ransomware Encryption Key Files


    Attachment Infrastructure Payload C2 inaccessible
    Infrastructure
    Eternalblue/Doublepulsar
    Vulnerability MS17-010
    WORM tcp/445
    WannaCry under the hood
    Exploit MS17-010
    Tcp/445 mssecsvc.exe
    Install Encrypts files
    eternalblue/doublepulsar RSA 2048
    taskse.exe
    Command & Control tasksche.exe
    Killswitch !
    www.iuqwergwea.com Tor.exe
    Delete Temp
    188.166.23.127:443
    Files taskdl.exe
    193.23.244.244:443
    2.3.69.209:9001
    146.0.32.144:9001
    50.7.161.218:9001

    SCAN INTERNAL & EXTERNAL

    http://blog.talosintelligence.com/2017/05/wannacry.html
    Incident Response Emergency
    General Recommendation for Mitigation

    • PATCH, PATCH, PATCH


    • Apply the MS17-010 patch to your systems
    • Microsoft has released this update for XP/Server 2003 systems

    • Block ALL Inbound/Outbound SMB traffic


    • ports 139, 445
    • Prepare for the Worst – More is coming
    Cisco Umbrella - Recommendations

    • Block all requests from ”Security” Categories and make sure ”Newly
    Seen Domains” is blocked.
    Cisco AMP for Endpoint

    • AMP is doing a great job blocking wannacry, just make sure that
    automatic ”sandbox” submission for low prevalence files are enabled
    • Explore the retrospection feature to find any correlation and artefacts
    Cisco NGFW/NGIPS - Recommendations

    • Activate the follow snort rules


    • 42329-42332 DoublePulsar (April 25)
    • 42340 Anonymous SMB (April 25)
    • 41978 Samba buffer overflow (March 14)

    • Block All tcp/139 & tcp/445 for outside


    • Take in consideration to block it inside too
    • Enable Security Intelligence to block C&C (IP, URL, URL)
    • Enable AMP file Inspection – Ask for a trial license
    Cisco ESA & WSA & Meraki

    • Enable AMP for advanced file inspection


    • Ask for trials
    Cisco ISE & Stealthwatch

    • Change the Authorization rule to block tcp/445 and tcp/139 at the


    switch level if supported.
    • Use Stealthwatch to monitor the lateral movement tcp/445 & tcp/139.
    • Put the endpoint in quarantine via ISE integration
    Umbrella can HELP
    immediately
    https://signup.umbrella.com/
    Umbrella Prevent against the UNKNOW

    • Accidental hero' halts ransomware attack and warns: this is not over
    • He used Umbrella Investigate to predict attacks

    Killswitch Domain Blocked by NSD Security Category

    https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
    Umbrella Containment – Killswitch Block
    Umbrella Containment – TOR Block
    Umbrella is blocking new Threats
    Where Umbrella can help
    Exploit MS17-010
    Tcp/445 mssecsvc.exe
    Install Encrypts files
    eternalblue/doublepulsar RSA 2048
    taskse.exe
    Command & Control tasksche.exe
    Killswitch !
    www.iuqwergwea.com Tor.exe
    Delete Temp
    188.166.23.127:443
    Files taskdl.exe
    193.23.244.244:443
    2.3.69.209:9001
    146.0.32.144:9001
    50.7.161.218:9001

    SCAN INTERNAL & EXTERNAL


    http://blog.talosintelligence.com/2017/05/wannacry.html
    Quick Prevention Defense Components

    Cloud Email Cisco AMP for


    Security Umbrella Endpoints
    Key points to highlight

    • Traditional Antivirus is NOT enough - its time for a real


    APT/EDR endpoint solution that offer internal visibility and
    retrospection
    • DNS visibility and control is a must have
    • Network segmentation and Automation must be part of
    Security strategy
    • Attack vector by email is growing fast

    You might also like