For every FireWall administrator who has already implemented our recommended Security Best Practices
Have a smile on your face, sit back and relax - you are covered, just tell the system guys to get their patching done and install Traps.
For everyone else
Get started if you don't want to get into trouble and let us know if you need help or
join the new EDU-210: Configuration- and Cyberthreat Management training where we teach you how to protect your network effectively
Let's start with the good news, a security researcher “MalwareTech” accidentally stopped the initial outbreak by registering a DNS name he found in the malware code. So all done and no need to worry? Well I don't think so because is very simple for the threat actor behind the WannaCrypt ransomware or any copycats to change the code. Apparently Kaspersky already found a variant without the kill-switch but it had a bug in the malware which prevent it from spreading "Yes, malware has bugs too ;)"
One important point up-front Installing the Windows update MS17-010 is crucial but will not protect you against this initial infection !
sStage 1 - Initial Infection of the first Device
In the first stage a device gets infected with malware. In case of WannaCrypt, there is no proof yet on how the initial infection exactly happend. There are numerous possibilities like for instance a malicious Word document distributed in phishing e-mails which is the classical threat vector for ransomware these days. However based on what we have seen on Friday, with so many attacks happening at the same time, it is hard to believe that users in so many well known companies opened malicious e-mail attachments and nobody has evidence of these e-mails. My personal theory is that the threat actor behind WannaCrypt simply bought access to devices which were already infected with malware and with this was able to check if the Microsoft patch was already deployed in its victims network. This wouldn't be unusual as today's cybercrime is very well organise with hackers specialising on specific attacks like infecting devices, deploying a remote access Trojan and then selling the access to others. What is clear in case, is that you have to protect your network from the initial infection. So let's explore the most common possibility.
Stage 2 - Distribution of the Malware inside of your Network
The real problem starts at stage two. Once the first device in your network is infected or an already compromised machine connects to your network, then it will scan the entire network for devices which a vulnerable to the EternalBlue exploit (CVE-2017-0143 to 0148). Once it has found new victims, which is effectively every Windows machine not patched with MS17-010, it implants the DoublePulsar backdoor to install the WannaCrypt ransomware and this time the user on the new victims machine doesn't have to do anything which means the domino effect starts and it is spreading everywhere bringing your company's IT operation to a hold.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.