ADVISORY: Recommandations to stop the WannaCry ransomware spreading

Since the past few days, we heard a lot about WannaCry, a massive ransomware campaign hitting computer systems of hundreds of private companies and public organizations. Like everybody, company or simple citizen, at DenyAll we are actively following the cyberattack using the ransomware named WannaCrypt and affecting worldwide organizations.

What happened ?

The WannaCry ransomware is using the  Windows Server Message Block (SMB) vulnerability that was exploited by NSA since many years through a payload (attack pattern) named EternalBlue from the Shadow Brockers leak. This exploit takes advantage of a remote code execution vulnerability in Windows Server Message Block (SMB) server found in almost all Windows operating systems (OS).

In just a few hours, the ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and it is just the beginning.

Common attacks vectors

The most common ways that a malware can reach an endpoint device are the following:

  • Spam emails
  • Infected removable drives
  • Bundled with other software
  • Hacked or compromised websites
  • Other malware

On these vectors, traditional anti-virus, anti-spam and Web (outgoing) proxies would be the most appropriate protection.

Attacking your website

Malwares can also reach the internal network via uploads (or injections) in one of your websites. In this scenario, Web Application Firewalls (WAF) come in.

To avoid this type of attack, we recommend you set a WAF in front of your websites with the last (up to date) security patterns that block all kind of injections and attacks.

You may as well leverage the IP reputation feed (integrated from Webroot) that lets you reject any request coming from the TOR network, often used to anonymize the WannaCrypt attack.

Finally, you can avoid basic upload of infected files by having all uploaded files analyzed by your enterprise anti-virus engine (using the ICAP protocol from the WAF).

Securing your endpoint devices

In both cases, as the final target of the attack is the endpoint device, we recommend you protect your enterprise devices with a solution like Browser in the Box providing a shielded virtualized browser that may be used to access external Internet websites.

This solution will protect the host device from any malicious website affecting the virtualized browser, blocking any possible propagation. Furthermore, restarting Browser in the Box restores a clean environment.

Scanning your devices for vulnerabilities

Last but not least, we recommend you schedule scans through our product DenyAll Vulnerability Manager in order to check that all assets (desktops and servers) are patched.

Specifically, DenyAll Vulnerability Manager provides a couple of tests to identify that the MS17-010 patch (fixing the vulnerabilities that are exploited by WannaCrypt to spread over your infrastructure) is correctly installed.

Xavier Quoniam, Marketing Manager on Linkedin
Xavier Quoniam, Marketing Manager
Xavier is our Marketing Manager. He is passionate about disruptive technologies that transform how companies communicate. He brings us its passion, curiosity, and fresh ideas to promote DenyAll and Cloud Protector at its best.