Blog

The recent WannaCry worldwide ransomware attack seems to have been successfully stopped for now. But what about the next similar attack?

WannaCry

Earlier this month (May 2017), organizations worldwide were infected by a widespread attack by ransomware known as WannaCry. The ransomware rapidly spread among vulnerable computers via SMB, a standard networking protocol for sharing files and other resources between computers. WannaCry blocked access to files on infected computers, demanding a ransom to be paid in order to unlock them. The ability of many organizations such as Britain’s National Health Service, Spain’s Telefonica and FedEx to conduct business and provide services was impacted.

WannaCry took advantage of a Windows SMB vulnerability (CVE-2017-0144) that had been publicly revealed only two months before, as part of the Vault 7 WikiLeaks leak of documents allegedly belonging to the CIA and NSA that detailed the agency’s cyber attack capabilities ranging from iOS and Android exploits through browsers and operating systems all the way to Smart TVs and some car systems. Only a few days later, on March 14th, Microsoft released a security patch (MS17-010) to address the vulnerability. However, organizations that did not install the security patch remained vulnerable.

On April 14th, the Shadow Brokers hacker group released the EternalBlue attack vector that exploited the vulnerability. On May 12th, EternalBlue was used to spread and deliver, as its payload, the WannaCry ransomware. It spread rapidly through several key infrastructure sites in Europe, and it is currently estimated that around 300,000 computers in hundreds of corporate, educational, and governmental organizations throughout more than 150 countries have been infected.

Conventional Defense: Perimeter and Internal

The security community’s current discussions are about how the main lesson from this attack is the importance of keeping operating systems and other software up-to-date with their vendors’ latest security patches. Had the affected organizations been more diligent with their update policies, they could have averted the attacks. The attack also highlighted the importance of frequent backups – at least two distinct backups, and preferably one additional backup somewhere off-site in case of natural disaster.

These are certainly good practices to follow. However, can we assume that security patches will be able to prevent all attacks? Do we really want to rely on Microsoft to identify every vulnerability and anticipate every attack? What happens when attackers find a vulnerability that Microsoft isn’t aware of, or in other software?

According to the US Department of Homeland Security, maintaining up-to-date software can prevent “As many as 85 percent of targeted attacks”. Even ignoring the fact that the referenced source is a CCIRC page that in turn references an Australian source relying on data from 2011 (!) – what happens when you end up in the other 15 percent?

So far we’ve focused on perimeter defense – trying to keep threats from penetrating our networks. As we’ve seen, those defenses are flawed. So, the next layer to consider is the targeted computers themselves. Can we protect our endpoints from attacks that are likely to reach them?

Conventional endpoint defense tries to identify malware by known files or code sections, or, with more advanced antimalware products, by suspicious behavior. However, the limitations here are obvious. Signature-based identification can’t protect against new malware variants, which the attackers are smart enough to produce – in fact, an early version of WannaCry (identified in February 2017) had a known code section from previous known malware (a Lazarus APT from 2015), but the attackers were smart enough to remove it from the variant they used in May.

As for behavior-based antimalware, they depend on specific behavior patterns that are not easily defined, can be avoided by attackers, and are often exhibited when damage is already being done; not to mention, they tend to produce high amounts of false-positives since malware behavior is not easily differentiated from legitimate behavior.

The bottom line is that once in the network, smart attackers can easily evade being identified by antimalware products.

A New Defense Paradigm: Isolation

Defense against ransomware and other types of malware must be proactive. And the only way to definitively protect valuable resources from unknown attacks is by isolating them from infectable areas. This is exactly what BUFFERZONE does: it creates a virtual container on organizational endpoints, and all processes that could access external, untrusted sources such as the internet are kept in the container, along with any data they download or save. At the same time, only uncontained processes can access trusted organizational resources. The container is periodically wiped clean.

So, for example, if WannaCry had somehow arrived from the internet to an endpoint protected by BUFFERZONE, it would only be able to run in the container, and only be able to access contained files. This means that it would have encrypted and locked, at most, recently downloaded files. In addition, if BUFFERZONE’s collaboration had been configured with its recommended Secure Bridge (rather than the alternative unsecured bridge), the ransomware would not have been able to propagate to any other computer. And when the container was wiped – the ransomware would have been gone, along with any other malware that could have arrived from outside the organization.

In fact, at one of the largest banks in Europe, security experts tested BUFFERZONE by intentionally infecting a computer with WannaCry. BUFFERZONE successfully contained the attack so that the ransomware was unable to encrypt and lock any files outside the container.

Sources
The following sources were used, in addition to sources linked above and other publicly available sources.

WannaCrypt ransomware worm targets out-of-date systems, on Microsoft TechNet, 12/5/17

WannaCry ransomware attack, on Wikipedia, retrieved 29/5/17

John Carlin, The ‘WannaCry’ ransomware attack could have been prevented, on CNBC, 17/5/17

Kaspersky Lab Global Research & Analysis Team (GReAT), WannaCry and Lazarus Group, on Securelist.com, 15/5/17