WannaCry Interface

WannaCry – See It In Action

This week we are running webinars at 3pm GMT every day where we will talk about the current threat landscape and show Wannacrypt in action before taking a deep dive into the forensics of the attack. To register for one of these, send an email to info@custodian360.com or leave you details at https://www.custodian360.com/contact-us/

Friday the 12th of May 2017 saw the first Ransomware worm that we have seen in the wild wreak havoc across the globe, striking indiscriminately at those running Windows XP, Windows Server 2003 or unpatched Windows 7 Operating Systems. This worm has exploited the vulnerability MS17-010 allowing it to spread through a network at alarming speed and with no user interaction.

The first that many of us heard about this was when it was announced that a number of NHS Trusts were experiencing some kind of cyber-attack. As it then transpired, Telefonica had already suffered the same fate in Spain and then reports started to come from many different sources alerting us to the fact that this was much more widespread than just the NHS Trusts or a few larger companies.

WannaCry InterfaceOver the next few hours I personally watched the spread of the worm around the globe, more and more infections were reported, social media was alight with comments and pictures for many hours as more and more people fell victim to Wannacrypt which was soon dubbed Wannacry.

Very soon we were looking at numbers as high as 200,000 infections worldwide, had this been a traditional Ransomware campaign this wouldn’t have been too bad for many organisations as they would have been facing a ransom payment of hundreds of dollars.

Many would see this as acceptable to quickly recover files and many would pay the ransom quite quickly. Instead, what we had was organisations facing huge ransom payments totalling many thousands of dollars. For the majority, the only option was to start a massive clean-up operation of rebuilding affected computers and restoring files (where possible) from backup.

This leaves many IT staff facing a long weekend working day and night to try and put their business back to a position where they are operational on a Monday morning. As this has been such a high-profile incident we can clearly see that for many this just hasn’t been possible and many organisations are still in Disaster Recovery situations or are limping along, many reverting to using paper as a means of communication.

It’s clear to see that it doesn’t get much worse than this. As the person responsible for providing IT services within an organisation this is absolutely the worst nightmare situation.

We should sympathise with some of these larger organisations though. Many use bespoke applications that were developed to run on Windows XP or Windows Server 2003 and are not compatible with later, more secure operating systems and the cost of both re-developing applications and migrating to new operating systems is prohibitive.

This, unfortunately makes them sitting ducks. As exploits are discovered they are dependent on their security measures and vendors being good to their claims about protection levels. We have seen Microsoft release an emergency patch to prevent the spread of the worm on these systems but we can’t rely on Microsoft doing that in the future as these systems are well beyond end of support. Even if Microsoft do release patches for found exploits in the future, we have just seen that it takes a couple of days for these to become available, what option do you have then, shut down all of your systems until you can apply patches?

That’s just not an acceptable approach. Security vendors and suppliers must step up and work with these organisations to provide the level of protection that is now needed. Many new vendors are doing this and are thinking of new ways to detect malicious behaviour and stop it in its tracks.

The old approach of detecting threats and attacks by using signatures to identify known behaviours is woefully outdated and leaves many potentially exposed to the huge cost of remediation and consumption of huge engineering hours. Recently, NSS Labs performed a Total Cost of Ownership and Effectiveness test across a number of EndPoint Protection vendors. This showed us that a 500-user company can potentially spend $1,250,000 on cleaning up a cyber-security incident. This is a big enough number for any organisation to “lose” and it is sure to rise after this most recent incident.

At AVR International we have championed a move towards analysing behaviours in real time and preventing threats as they occur rather than before they happen. This may sound like a risky approach but when you look at what is actually happening these days it is absolutely the right approach. Having run versions of Wannacrypt myself and looking at the forensics following execution it is frightening to see how quickly this particular threat works, the Ransomware itself seems to have one failing though, it creates new files and encrypts them but doesn’t delete any files until it has finished encrypting. Every piece of Ransomware I have analysed up until now follows a simple pattern, create, write and delete.

This means that if you can stop the Ransomware while executing then you won’t lose any files, the system doesn’t look pretty but you can still carry on working. Many “next generation” vendors will be able to do that and this allows us to not only avoid paying ransoms but allows us to remediate at a more leisurely pace.

One vendor goes further though, SentinelOne is currently the only “next generation” vendor to offer protection and full remediation in a single lightweight, autonomous agent. Moreover, they are the only vendor I am aware of that can say that none of their customers were affected by Wannacrypt. That is some claim to be able to make but as SentinelOne’s only UK Managed Security Service Provider, Custodian360 can also make that claim.

SentinelOne’s powerful Deep File Inspection identifies Wannacrypt in all of its forms before it has a chance to execute meaning you are never at risk.

With support for Windows XP and Windows Server 2003 it would seem to be the obvious choice for EndPoint protection given the current threat landscape.

So obvious in fact that I am running a series of Webinars to demonstrate how Wannacrypt works and what it does when executed, this is an educational webinar in the most. We will demonstrate how SentinelOne remediates and recovers from the threat after executing and we are running these webinars every day, 3pm GMT is the Managed Service offering and 4pm GMT is SentinelOne as an owned solution, to register, just drop us an email at info@custodian360.com

All are welcome and we will discuss the current threat landscape, how we see it changing and where it could go before looking into the forensics of this specific attack and what we can do to not only detect these threats but stop them in their tracks.

Cyber Security is changing at a rate never before seen, don’t let yourself become the one that got left behind as that sitting duck.