The WannaCry ransomware started to hit companies worldwide this past Friday, setting off a wave a panic about what to do about it. The reality is this attack will continue to proliferate, and it will likely continue to command attention from CISOs to the boardroom to the media for the upcoming weeks. The attack was first reported to have started to hit companies in Europe and Asia this past Friday, and so far to-date, over 200,000 systems in 150 countries.
The reality is that this attack has taken advantage of a known Windows exploit, and this attack is particularly severe relative to the impact it can have if not detected quickly. In the wake of WannaCry, unpatched production systems are at a particularly high risk right now.
Microsoft did issue details on what they are calling MS17-010, along with a patch for all currently supported Windows versions, including XP, Windows 8 and Windows Server 2003. This is only a patch though, and it does not ensure that your organization is protected against future strains of WannaCry or any other advanced ransomware-class attack. What’s more interesting (concerning, actually), is that so many endpoints remain completely at risk, as the patch actually existed two months ago.
CounterTack can help here – we leverage behavior-based detection, rather than the reliance on signatures and other known forms of looking at known threats, to help security teams rapidly detect WannaCry, and take action decisively to prevent it from fully executing. We are focused on keeping businesses resilient in the face of swift-moving attacks like this.
As you can see in the two images below within our Endpoint Threat Platform, we use a combination of frequency analysis, behavioral analytics and indicators to examine the threat level and convict that this is indeed WannaCry.
We use a dynamic conviction mechanism to stop the threat by terminating malicious processes, denying access and execution to malicious files and quarantine the endpoint to prevent the spread of this threat.
What an analyst gets is a detailed view of attack artifacts for further analysis of the threat allowing Incident Response and Hunt teams to visualize the root cause.
Our goal with a threat like this is to allow organizations to recover from the attack without the need to completely rebuild their systems, reimage machines and reduce the overall impact as quickly as possible.