WannaCry: A Debriefing with Tom Roeh

Last week's unprecedented ransomware attack left organizations reeling. ExtraHop systems engineering manager Tom Roeh explains what happened, what we learned, and how customers tapped the power of ExtraHop to respond.

Tom Roeh will be hosting a live webinar about WannaCry and the ExtraHop Ransomware bundle on May 19th at 10:00 AM (PDT): Details and registration are available here

ExtraHop ransomware expert Tom RoehExtraHop ransomware expert Tom Roeh

Let's start with the basics—what happened exactly?

In some respects, WannaCry is a ransomware attack similar to other attacks we've seen over the last year. A machine gets infected and files start getting encrypted. A message pops up on your computer and it says "Hey, You need to pay XYZ amount in Bitcoin in order to get the key back to decrypt your files." In that regard, this attack is not all that different from others. What's unique about WannaCry is how most of these machines got infected. There were no emails or malicious payloads required. WannaCry propagated via a worm, which propagates completely behind the scenes without any end-user interaction.

If it doesn't require anyone opening an infected file, how does it start propagating in the first place?

Let me give you an example—in the ExtraHop office, everyone is on the local network, the LAN, and we're all on the same subnet, so to speak. If one person came into the office with the infection on their machine—and maybe they picked it up when they were on the internet at a coffeeshop—when they connect to the ExtraHop network, the worm will start crawling all the other machines on that network and send packets that infect the machines automatically without any end-user interference. That's what's so dangerous about this attack.

The WannaCry ransomware takes advantage of an underlying vulnerability in Microsoft Windows. This is where it gets interesting. There were a handful of known vulnerabilities in Windows that the National Security Agency (NSA) was aware of. In April of this year, there was a leak in the NSA. A nefarious group called The Shadow Brokers leaked these Windows vulnerabilities, much like Wikileaks does. So it was just a matter of time before someone exploited those vulnerabilities. Under the covers, the WannaCry ransomware makes use of two vulnerabilities, EternalBlue and DoublePulsar. It's the Windows PCs that have not been patched to fix those holes that ended up getting infected.

The prevention approach is to make sure you've patched your Windows machines. But really, once your system gets compromised and your files are encrypted, the only way you're going to get those files back is to pay the ransom, even though there are reports of people paying and still not getting the decryption keys from the bad guys.

Hospitals are major targets for ransomware overall and WannaCry was no different. Why hospitals and not, say, financial organizations?

The data is highly valuable. These days, a healthcare record is much more valuable on the black market than a credit card number. I think a credit card goes for pennies, but healthcare records are worth $30 or $50, or more.

But what's interesting about WannaCry is that, by tracking the Bitcoin receipts associated with it, it ended up not making much money for as big of a splash as it was. The bad guys only made something like a couple hundred grand. If you compare that to the $4 billion in damages done to IT assets, etc, it makes you wonder what the motivations were. Even though it was highly sophisticated and took root via a highly sophisticated vulnerability, there were a lot of sloppy elements to this ransomware variant. So, what was the motivation? Was it purely financial? If it was, they didn't do a very good job. Or was it politically motivated and they are trying to cover their tracks? It's hard to say and obviously, a lot of this is being ferreted out as we speak.

ExtraHop responded to this attack by quickly updating our ransomware bundle. Can you explain?

It's important to note here that the original Ransomware Bundle v1.2.6 we released in early 2016 already had detection capabilities for WannaCry. I made an update to the bundle on Friday in order to make those detection capabilities much more definitive. In security circles, people talk about IOC's, meaning an indicator of compromise. In our world, we equate that to a filename or file extension. I added that on Friday to make the detection more up front and in-your-face. But even without that update, ExtraHop still would have picked it up with our Type Three Detection capabilities. I also added a file pattern to match the ransom note (Type Four Detection).

 

Is there anything about this attack to make ExtraHop rethink its strategy around ransomware prevention?

Well, yes and no. The existing Ransomware Bundle is in use by the vast majority of ExtraHop customers, and has proven time and time again it's ability to provide an accurate early-warning system for ransomware outbreaks. That being said, our security research and data science teams are constantly staying abreast of the latest security threats our customers face. To that end, on Wednesday we released a supplementary bundle that can detect the underlying Microsoft EternalBlue exploit and we'll likely have another supplementary bundle later this week to further assist our customers in remediating the latest threats.

What other ways were ExtraHop customers using the platform to respond to this attack?

Besides our ransomware bundle, our platform tracks all CIFS/SMB activity, so our customers were able to easily see if there were any devices communicating via the SMB v1 protocol that was the vector for this attack. That way, they could make sure that they applied the appropriate patches or disabled that protocol on those machines. Some of our customers also used ExtraHop to see if any computers had called out to WannaCry's "kill switch" URL.

ExtraHop Customer Protected

Several existing customers used ExtraHop to actively track outbound requests to the so-called "kill switch" domains. And as the kill switch domain names have changed throughout the past week, the flexibility of our product has allowed customers to easily modify their dashboards/alerts to continue actively tracking using this method.

Beyond detecting active ransomware activity, we've had customers use our product to quickly identify which machines in their environment are still using the legacy SMBv1 protocol. Note that Microsoft has strongly recommended the complete disabling of this protocol (which can be done via registry changes). We expect to release an additional bundle this week to further assist customers in this effort as well.

ExtraHop systems engineering manager Tom Roeh was instrumental in building our ransomware protection capabilities, which won Best of Citrix Synergy last year.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.