On Friday, May 12, 2017, a series of attacks began that spread the latest version of the WanaCrypt0r ransomware.
These attacks, also referred to as WanaCrypt or WannaCry, have already had a serious impact on systems of public and private organisations across the globe, with an estimated 1.3m systems still at risk. This variant of ransomware has already infected more than 230,000 systems in more than 150 countries, making it one of the most destructive ransomware to date.
Following these attacks we are keen to ensure that all of our clients have adequate protection against WanaCrypt0r ransomware and other such zero day malware attacks.
We are recommending that any clients that do not already have an Advanced Endpoint Protection solution in place, implement one promptly to deliver protection against WanaCrypt0r ransomware or any future ransomware attack.
As a Palo Alto Networks Gold Partner our preferred solution for our customers is Traps Advanced Endpoint Protection.. In this post, we will outline the protection against WanaCrypt0r ransomware that Traps delivers.
Although the initial infection vector for WanaCrypt0r ransomware (a.k.a. WannaCry and WCry) is still under investigation, many attacks observed, so far, have compromised at least one endpoint in a network before spreading to other systems by exploiting a vulnerability in the SMB protocol on Microsoft Windows systems (CVE-2017-0144, “EternalBlue”). Microsoft patched this vulnerability in March and took the extraordinary step of also covering such systems as Windows XP that are no longer receiving security patches.
On unpatched Windows systems where this SMB protocol vulnerability can be exploited, the initially compromised endpoint remotely delivers the WanaCrypt0r sample to the target host system and executes the malware. The newly compromised endpoint will then repeat this cycle with other hosts it can reach on the network, propagating the attack in the process. Data files on each compromised endpoint are also encrypted to extract ransom money from victims.
Traps Protection Against WanaCrypt0r Ransomware
The multi-method prevention approach of Traps delivers several protections that block the malware execution in the early stages of the WanaCrypt0r attack. In cases where the initial malware is successfully delivered to the endpoint (see below for how the Palo Alto Networks Next-Generation Security Platform can prevent this), Traps automatically blocks the attacker’s attempt to execute the WanaCrypt0r malware.
Preventing WanaCrypt0r Malware Execution
Traps v4.0 (released in May 2017) and v3.4 (released in August 2016) prevent the execution of WanaCrypt0r on Windows endpoints through the following malware prevention methods:
- WildFire Threat Intelligence: WildFire automatically classifies as malware all samples of WanaCrypt0r that have been seen elsewhere by our threat intelligence partners, third-party feeds, and the 15,500 customers who subscribe to WildFire. As new samples of this malware are discovered across the globe, WildFire will automatically create and deliver updated controls to block these variants on endpoints protected by Traps. Because this malware prevention method is enabled by default, Traps customers don’t need to modify their policy configurations to receive this protection, unless they have disabled this protection.
- Local Analysis via Machine Learning: The local analysis malware prevention method blocks the execution of new and never-before-seen variants of WanaCrypt0r before they can compromise endpoints. Because local analysis does not use virus signatures, Traps customers have been receiving this protection since before the first reports of this ransomware attack surfaced on Friday. In addition, this malware prevention method is enabled by default, so Traps customers don’t need to modify their policy configurations to receive this protection, unless they have disabled it.
- WildFire Inspection and Analysis: In conjunction with local analysis, Traps automatically submits unknown executables to WildFire for full inspection and analysis. WildFire, in turn, automatically creates and shares a new prevention control with Traps (as well as other components of the Palo Alto Networks Next-Generation Security Platform) in as few as five minutes, without human intervention. This malware prevention method can identify new and unknown variants of WanaCryp0r, as well as other malware. In addition, Traps customers can easily configure this protection to prevent the execution of any unknown program until a WildFire verdict is available This additional restriction is not activated by default in Traps v3.4 and v4.0, and in most cases, not necessary to block WanaCryp0r ransomware.
- Execution Restrictions: These restrictions can prevent WanaCryp0r from executing the malware programs that it creates in temporary folders on the target machines. Execution restriction can serve as an added layer of protection to supplement the WildFire and local analysis prevention methods that are available by default. Traps customers with high security requirements can choose to augment the default protections with this prevention method. However, this must be configured manually: there are currently no confirmed, inclusive lists of known locations and executables associated with WanaCrypt0r, so Traps customers should consider adding new execution restrictions on a case-by-case basis.
Traps and the Palo Alto Networks Next-Generation Security Platform
As an integral component of the Palo Alto Networks Next-Generation Security Platform, Traps protections are continuously strengthened by the threat intelligence Palo Alto Networks customers share with the platform. Customers who use Traps in a stand-alone deployment (where no other Palo Alto Networks technologies are deployed) benefit from the platform by blocking variants of WanaCrypt0r that have been encountered first by our other customers.
If you would like to speak to someone about improving the potential security vulnerabilities in your organisation or would like further information on Palo Alto Networks Traps and their Next-Generation Security Platform please contact us on 01932 232345 or use the form below.