Dear Splunk customer,
We hope your organisation has not been affected by WannaCry. Splunk has been providing thought leadership on the detection and prevention of ransomware-type malware for the past couple years now. And, in response to this attack, many teams at Splunk have swarmed over the past 24 hours to craft a rapid response. Please let us know if you have questions about the below information sent by James Brodsky, Splunk Security SME & Rich Barger, Director, Splunk Security Research.
On Friday, May 12th 2017, corporate computing systems worldwide saw the largest and possibly most damaging Windows-based ransomware attack seen to date. Companies such as Telefónica in Spain and FedEx in the US reported being affected, and most troubling, several organizations within the UK’s National Health Service had an extreme disruption in its ability to provide healthcare as the ransomware spread from machine to machine.
This incident is different from any other because it is a union of the old and new. This implementation has coupled “wormable” self-propagation capabilities as seen in 2003 with the crippling “Denial of Data” effects of 2016.
This goes to show that the weeks-old adage of “ransomware is so 2016” is not only entirely off the mark, but also that ransomware is no joking matter. The detection and prevention of ransomware and other data-destructive malware continues to be one of the highest critical cybersecurity priorities in 2017.
Below, we outline details and methods you can use to combat WannaCry and ransomware in general, and if you’re a security professional scrambling to raise your defenses further with Splunk, the information should be very timely. If you’d like to discuss with us real-time how to better secure your environment to protect against WannaCry and similar ransomware threats, we invite you to contact your local Splunk sales team or reach out to us so we can help you in the fight against ransomware. If you’re ready to try some hands-on techniques now, then visit our Online Demo Experience to practice fighting ransomware in a sandbox with guided exercises in “real threat” scenarios.
Details About the WannaCry Exploit
WannaCry malware is extremely virulent and fast moving, and goes by several other names including “WnCry” and “Wanna Decryptor” and “WannaCrypt0r.” Although the initial infection vector is uncertain at this time, many researchers speculate it to be, with near certainty, phishing or drive-by web download. It infects systems through an exploit to Microsoft’s “Server Message Block” protocol (SMB).
A previously-unknown (zero-day) vulnerability to SMB was released via the Shadow Brokers purported dump of NSA-curated material, which occurred on April 14. Microsoft has had patches available for all supported versions of their OS (Vista through Server 2016) since mid-April.
Like most ransomware variants, WannaCry encrypts many different types of data files, and then displays a popup to the victims, to inform them that in order to get their files back, they must pay the ransom via bitcoin or US dollars.
For additional details on the WannaCry ransomware, check out the Microsoft Security Bulletin MS17-010, and a technical analysis from Cisco Talos and MalwareBytes.
Specific Splunk Guidance for WannaCry
Splunk can be used to help defend against WannaCry, as well as provide early warning of a WannaCry infection, using some general prevention and detection techniques that we will review in the next section.
- If not already 100% compliant, organizations must implement the patches that mitigate MS17-010 which can be found here.
- Organizations should implement and exercise their continuity of operations plan, if they do not have one consider taking time to develop one, even a modest plan can be better than having nothing.
- Organizations should implement regular backup mechanisms and test data recovery of assets such as workstations and servers. It is also important to establish increased security and monitoring around such backup architectures to ensure attackers do not also undermine centralized enterprise backup and recovery capabilities.
- Due to the self-propagating nature of this threat, organizations should determine where they might be vulnerable and if operationally feasible, compartmentalize their network to self-contain vulnerable assets until they can report 100% patching compliance. Splunk can be used to report on the status of Windows patching activities, and also report upon results of vulnerability scanning. Systems found to be vulnerable should be isolated and patched immediately.
- Organizations might want to consider implementing internal network blocks or disabling the SMB service all together if operationally feasible. Splunk can be used to ensure that the service stays blocked, and is not re-enabled either from an endpoint or network perspective.
- Organizations can monitor internal network segments for unusual SMB v1 connections (TCP/139, TCP/445) be it scan activity or other. You can use Splunk to ingest and report/alert on this data, and/or capture this wire data via Splunk Stream.
- IDS rules have been available as early as 4/18/2017 to detect exploits of MS17-010. Organizations can bring these IDS alerts into Splunk and correlate them against critical asset information.
Most Windows ransomware tries to delete automatic backups by calling the “vssadmin” service. Organizations can monitor for strange execution of the vssadmin service on endpoints via Sysmon and the Universal Forwarder and react to this behavior either manually or automatically via Adaptive Response. Catching this behavior early may prevent further damage.
- Ransomware often drops unusual executables on the system. WannaCry uses The Onion Router (TOR) executable to communicate for anonymized command-and-control. Organizations can monitor endpoints using the Splunk Universal Forwarder for unusual executables making unusual network communications and react.
- Ransomware almost always has unique file extensions that can be used as signatures for early detection. Organizations can set up “canary” boxes or identify a subset of Most Likely Targeted machines, and then monitor for the creation of those extensions using the Splunk Universal Forwarder or via wire data. Splunk lookups can be leveraged to pull in updated threat intelligence about new extensions seen in the wild.
- For critical assets (that are not Windows 10), organizations can consider running Microsoft Enhanced Mitigation Experience Toolkit and integrating the data that comes from EMET into Splunk.
The key for detection of ransomware is to find it early and contain it quickly. If, for example, you have unusual network activity to the C2 infrastructure for WannaCry then you could theoretically use an Adaptive Response or a manual process to block that communication so that the ransomware cannot properly execute and cause damage.
The current variant of WannaCry includes a “kill switch” routine which runs before the self-propagation and encryption routines. When WannaCry executes for the first time on the host, it attempts to establish a connection to “http[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. No secondary files are downloaded, the malware simply seeks to connect, and if it does, the program exits.
Which means if the domain is blocked and the connection fails, the program will drop and execute the ransomware component. (Note this domain has been sinkholed which has enabled MalwareTech to measure and track infections.)
Organizations might want to consider implementing a local equivalent. By establishing a Response Policy Zone (RPZ) for this domain and redirecting it to an internal non-production web service one can deceive the malware in executing its kill switch routine thus neutering the threat. By Splunking these webserver logs, customers would obtain real-time indications and warning of any infection attempts, allowing them to investigate and conduct root cause analysis without suffering through the effects of a data destructive attack.
There are early indications that the framework for WannaCry might be modular in nature meaning it would be trivial for the WannaCry authors or copycat attackers to deliver follow on waves of self-propagating malware with different payloads that deliver different effects. Not all too different than a missile (the delivery vehicle) which carries a purpose built warhead that can be interchangeable. It is important for organizations to maintain increased vigilance with agile and adaptable response capabilities due to the fluid nature of this risk.
General Ransomware Combat Using Splunk
Splunk has made expert guidance and materials available, specifically targeted at helping detect and prevent ransomware. In light of the WannaCry attack, it is more important than ever to get educated on best-practice methodologies on detection and prevention, as well as forensic analysis. Don’t Be a Victim.
If you don’t already have a ransomware playbook in place, start today to work toward that end. Implement solutions that provide reliable backup of corporate computing devices, and regularly patch critical, exploitable vulnerabilities. More security-minded organizations should strongly consider behavior-based protection at the endpoint if it’s not already in place.
Splunk can be a key prevention partner, ensuring that these defensive tactics are carried out, and alert when they are not, as well as help report on and maintain the operation of next-generation endpoint solutions. Just as importantly, Splunk can be used for detection of early signs of ransomware infection, allowing organizations to take action before major damage occurs.
Dieco van der Valk