Don't (W)Cry, You've Got Endgame

Three of the most prominent attack trends in cybersecurity converged today: ransomware attacks, data dumps of nation-state offensive capabilities, and an emergence of the healthcare industry as a leading victim of cyber attacks. The confluence of these trends resulted in a wide-scale ransomware attack that to date has already hit over 70,000 computers in almost 100 countries. These numbers are likely to grow. Most notably, sixteen hospitals in the United Kingdom were locked down today, disrupting or cancelling the majority of services.  The ransomware also impacted several large companies in Spain, including Telefonica, but did not disrupt customer service as it was limited to their internal network.

The attack deployed an exploit called Eternal Blue, which exploits a known Windows vulnerability that was secured in March 2017 by MS17-010. This was recently released in a Shadow Brokers data dump. While it is not yet known who is behind this ransomware attack, it is indicative of the increasing (usually inadvertent) ‘tech transfer’ of nation-state capabilities to other groups. Given the ongoing impact of this ransomware attack, we immediately tested our platform against it. Let’s walk through some details of the ransomware, our layered prevention approach, and how 2017 already seems to be overshadowing 2016 with the continued sophistication and reach of ransomware.

 

Layered Prevention

This WCry ransomware (aka several names, including WanaCryptor and WannaCry), responsible for today’s widespread attack provides a harsh lesson in properly securing systems.  This is a two part problem: lack of proper patching and the continued use of old, insecure versions of Windows, especially in critical infrastructure.  The exposure of so many systems to the MS17-010 vulnerability has enabled this ransomware to propagate rapidly.  Patches should have been applied when the patch was released and especially when it became clear that the Shadow Brokers exploit was mitigated by the patch.   But, some couldn’t patch.  Microsoft, for perfectly reasonable business reasons, no longer supports legacy OS versions, most notably XP.  Sadly, these versions are still in production on millions of computers globally.  Microsoft took the unusual (and necessary) step of providing a patch against MS17-010 the evening this attack broke out.  Organizations who didn’t or couldn’t patch before should be urgently scrambling to patch now.  

As this ransomware attack demonstrates, patch management too often is insufficient.  This occurs for numerous reasons, including concerns over disruption to business processes, difficulty maintaining an accurate inventory of assets, or, as mentioned above, a perceived or real need to keep legacy systems in production. Because of this, defenses must be in place which can reliably and consistently block a wide range of attacks, including those which can take advantage of a new vulnerability and spread rapidly such as this one. A layered prevention approach protects enterprises from ransomware and other forms of targeted attacks.  Organizations need effective defenses against exploitation, malware and fileless attacks, and malicious behaviors all operating in parallel.  In addition, these layers must be effective in detecting never-before-seen attacks.  As we’ve seen time and time again, signature-based defenses can’t compete against motivated and sophisticated attackers. This reality forms the foundation of Endgame’s zero-breach tolerance approach to defending customer networks.  

 

Preventing the Attack

Traditional signature-based AVs are generally ineffective against novel, emergent attacks such as this one.  Financially-motivated attackers know this and operate accordingly. The WCry dropper file (24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c) was not broadly detected by antivirus programs the morning of May 12 when the outbreak began to spread.  This surely played a role in its “success” from the view of the adversary.  

However, Endgame’s MalwareScore™, and its machine-learning based approach to detection, can stop this attack in its tracks. With MalwareScore™, prevention is in place with no prior knowledge of the WCry malware itself, protecting customers at the outset of the attack. Always wary of exaggerated claims about how AI and machine learning can solve every security problem in the industry, we know machine-learning itself is not a silver bullet. But when applied correctly, it is a powerful tool for the defender to battle widespread attacks such as today’s ransomware attack.

Why does machine learning do better in detecting new, never-before-seen malware? Machine learning is better at generalizing at scale than humans. Computers are very good at finding small distinguishing patterns across millions of malware samples and then recognizing those patterns in unknown samples. These patterns are analogous to human-derived signatures, except that they apply to far more samples than a signature for a particular sample, allowing a classifier to better predict new malware. As the image below demonstrates, MalwareScore™ successfully detected WCry. Endgame’s core engine is available in VirusTotal if you want to test it out for yourself.

 

Malware Prevention End User Popup Notification for the WCry dropper

 

However, no malware detection capability is perfect.  If anyone tells you they will detect all current and future malware through machine learning alone, they are lying.  This is why layered preventions are important.  So what if this particular dropper or follow-on files don’t get stopped by your malware defenses?   

If allowed to run, the dropper will write multiple files to disk and execute the ransomware encryptor functionality under two separate contexts: one as a child process to a command shell running under services.exe and another as a child process of the dropper under Windows Explorer.

 

WCry Dropper Process Tree

 

WCry Service Process Tree

 

On systems where malware prevention is not enabled, or if a variant emerged which is in the 1% of malware not detected by MalwareScore™, Endgame’s ransomware protection feature is in place to stop ransomware attacks.  This feature, which we will describe in detail in an upcoming post, monitors dozens of aspects of all system processes in real-time.  Very shortly after ransomware activity kicks off, threads associated with the ransomware activity are suspended, protecting critical data on customer machines.

We tested this on a machine protected by Endgame with MalwareScore™ prevention turned off.  As expected, our ransomware prevention feature detects the malicious activity immediately after it begins.  Critical data on these systems is protected.

 

Ransomware Protection End User Popup Notification for WCry

 

Conclusion

Over the following days and weeks, we are likely to better grasp the extent and impact of WCry, which has spread outside of Europe and into Asia as of this writing. These kinds of targeted and widespread attacks can be very lucrative, and until that changes, they are likely to become more common as well.  Layered behavioral preventions are necessary to stop these ransomware attacks, and modern attacks in general which are increasingly targeted.  They are especially necessary to stop the sort of attack we see unfold today within the UK NHS and elsewhere.  This particular attack has been enabled by an unfortunate proliferation of suspected nation-state level capabilities combined with poor patching practices.  As this worm propagation continues, keep in mind that the payload of this attack is preventable with the right defenses.  

Note: This was updated on May 13th. At this time, the ransomware has propagated to almost 100 countries, including 45 hospitals in the UK alone.