CyberArk Labs: Breaking Down WannaCry Ransomware – What’s Different?

Critical Synopsis:

  • WannaCry malware continues to spread on a global basis and organizations are still at risk of being infected;
  • Patching the Microsoft vulnerability can prevent infection via the SMB worm, but cannot prevent direct infection via phishing;
  • CyberArk Labs tested prevention tactics on WannaCry over the weekend and found that the combination of enforcing least privilege on endpoints and application greylisting control was 100 percent effective in preventing WannaCryptor from encrypting files.

The ransomware behind this attack is known as WannaCryptor, also referred to as WannaCrypt or WannaCry. Over the weekend, CyberArk Labs investigated the ransomware strain, broke down the attack vectors, and analyzed how it compares to other recent ransomware attacks. Here’s what organizations need to know now.

To date, CyberArk Labs has tested more than 600,000 ransomware samples – including WannaCryptor – in order to better understand common infection, encryption and removal characteristics.  Unlike previous strains of ransomware, WannaCryptor is differentiated by a worm that spreads the ransomware as quickly as possible to as many machines as possible. The worm spreads using the “eternalblue” SMB vulnerability in Microsoft systems.

Microsoft issued a patch for this vulnerability in March 2017, but details on the vulnerability were released into the wild, freely available to attackers, as part of the Shadow Brokers leaks. Any individual and organization with an unpatched Microsoft system remains vulnerable to the worm in WannaCryptor.

  • Important Protection Note: The Microsoft patch will prevent infection via the SMB worm, but it cannot prevent infection and file encryption if the ransomware is delivered through a direct means, such as phishing.

WannaCryptor is able to execute on an infected machine without administrative privileges. However, to propagate through the organization’s network, WannaCryptor needs to escalate privileges through a Microsoft vulnerability that enables it run code in SYSTEM user context. WannaCryptor is able to operate in an offline environment, encrypting the user’s files with an RSA-2048 key pair. After the encryption process, the ransomware demands $300-$600 in bitcoin to decrypt the files.

While the built-in worm differentiates WannaCryptor’s ability to spread from previous versions of ransomware, there is nothing inherently unique about its encryption and extortion techniques. Like most ransomware, WannaCryptor was missed by traditional anti-virus solutions.

  • Important Protection Note: Organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations.

This proactive approach is not dependent on the ability to detect advanced malware; instead, it treats all unknown applications as potentially suspicious and protects information accordingly. This prevents one infected end-point from causing an organizational pandemic.

When tested in the CyberArk Lab, the combination of least privilege and application greylisting controls proved 100 percent effective in preventing WannaCryptor and dozens of other ransomware families from encrypting files.

This attack should serve as a reminder that back-ups alone are no longer enough to protect against data loss, especially if organizations are exposing privileged credentials to attackers. This means organizations may have to choose between complete data loss and paying the ransom. Eliminating the attacker’s ability to access administrative credentials to propagate ransomware beyond the initially compromised machine is an essential action to defend against future ransomware attacks and limit damage.