WannaBe Ready for the Next WannaCry?

July 5, 2018 Lavi Lazarovitz

We recently passed the one year anniversary NotPetya – one of the most devastating outbreaks of ransomware in recent memory. By exploiting the EternalBlue vulnerability first exposed by WannaCry, NotPetya ravaged business systems and caused billions in damage globally.

Recently, Ukrainian government officials warned that businesses were finding increasing amounts of malware planted on computer systems and indicated there may be another massive, coordinated attack focused on the region.

While the NotPetya attacks started in the Ukraine last year, it quickly spread into a pandemic, impacting businesses around the world. The aftershocks are still being felt – ransomware will infect organizations long after the initial outbreak (just look at how the city of Atlanta was recently shut down for several days after an infection of the SamSam ransomware ran rampant across systems).

If Ukrainian officials are correct and a new variant of the devastating ransomware is about to be unleashed, then it could have similar devastating attacks on businesses around the world. This is why these warnings need to be accompanied by proactive actions to prevent ransomware and other attacks from stopping business.

Wanna get ahead of the next WannaCry?

Regardless of what the next ransomware is called, here are four steps your organization can take immediately to dramatically reduce the likelihood of an infection spreading throughout your organization and shutting down your business.

  • Patch Now. Patch Forever: Many of the recent attacks – including WannaCry and NotPetya – spread by utilizing known vulnerabilities (like EternalBlue). A known vulnerability means it can be fixed. Patching servers and endpoints dramatically reduces the attack surface, making a compromise far less likely.
  • Remove Local Admin Privileges to Stop its Progress: Most ransomware mentioned above utilized credentials to spread across the network. Removing local admins from vulnerable endpoints reduces the chance of malware compromising additional credentials and spreading throughout the network. Removing local admin rights significantly increases the chance of containing malware and ransomware to the initial point of infection.
  • Protect Local Credential Stores: NotPetya was a clarion call to the dangers of the supply chain. The initial spread of the ransomware-wiper occurred through MEDocs, a popular software application that was used by many organizations in the Ukraine. The attacks compromised the software updates of the application to facilitate the spread of the malware. Because these updates require local admin privileges, the credentials store on endpoints and servers needs to be well protected to prevent unauthorized access.
  • Controlled Software Updates: As mentioned above, the NotPetya attack was introduced through software updates via a supply chain partner. By isolating the deployment of new updates before they go out across the entire network, organizations can potentially expose malicious activity injected into the updates themselves.

Combatting ransomware is never 100 percent. But through a combination of least privilege and application control policies on endpoints and servers, as well as other smart, best-practice techniques, can mitigate the risk of malware like NotPetya from spreading from the initial infection point.

When tested in the CyberArk Lab, the combination of least privilege and application greylisting controls proved 100 percent effective in preventing NotPetya from executing.

Prevent the next outbreak – don’t react to it.


Previous Article
Cryptocurrency Evolution: The Rise of Monero and Its Impact on Cyber Security
Cryptocurrency Evolution: The Rise of Monero and Its Impact on Cyber Security

This article is part of a series of blog posts on cryptomining from the CyberArk Red Team. It explores the ...

Next Article
AMSI Bypass Redux
AMSI Bypass Redux

Three months ago we published a blog, “AMSI Bypass the Patching Technique,” describing how to bypass Micros...