Palo Alto Networks protects against WanaCrypt0r and other ransomware attacks
byjdelio05-16-201709:37 AM - edited 05-16-201702:00 PM
If you have been paying any attention to the news about ransomware attacks that have been popping up lately, you will notice that one called “WannaCry” or “WanaCrypt0r”. This one has been aggressive in its attack, by using the SMB Protocol and exploiting the EternalBlue(CVE-2017-0144) on Microsoft Windows systems.
Microsoft has published details about the WanaCryp0r attacks here:
Threat Prevention – Enforces IPS signatures (content release: 688-2964) for the SMB vulnerability exploit (CVE-2017-0144 – MS17-010) used in this attack. Threat Prevention also deployed anti-malware signatures, which customers can reference on ThreatVault - https://threatvault.paloaltonetworks.com (includes threat names: “Trojan-Ransom/Win32.wanna.a” and "Trojan-Ransom/Win32.wanna.b”).
AutoFocus – Used to track threat attacks via the tag - WanaCrypt0r
GlobalProtect – Extends the protection from WildFire and Threat Prevention protections to remote users. For more information about GlobalProtect and how to configure it, please see the resource guide here: GlobalProtectresource guide
LightCyber Magna - detects WanaCrypt0r encrypting mapped network drives, command and control (C2) communications, and running processes on endpoints. Magna can enforce blocks of compromised machines through native engineering with Palo Alto Networks Next-Generation Firewalls. Magna Pathfinder can also terminate WanaCrypt0r processes on endpoints.
As far as what else can be done, here are 8 ways that you can help protect yourself from WannaCry and other ransomware:
Always install the latest Security Updates – It goes without saying to stay updated, as a lot of vulnerabilities are caught and patched almost daily. By keeping your machine updated, you prevent those vulnerabilities from being a risk on your machine.
Disable SMB – SMB in question is Server Message Block version 1. It goes without saying that if you are not using SMB inside of your network, to please disable it. To disable SMB, please follow these 4 steps: 1. Inside the Windows Control Panel, click ‘Programs’ 2. Open ‘Features’ and click ‘Turn Windows Features on and off.” 3. Now scroll down to find ‘SMB 1.0 /CIFS File Sharing Support’ and uncheck it. 4. Click OK, close control panel and restart the computer.
Enable hardware or software Firewalls and block SMB ports – It is vitally important to always have a firewall enabled. If you do use SMB inside of your network, then you can configure your firewall to block access to SMB ports on the Internet. SMB operates on TCP port 137, 139 and 445, and UDP port 137 and 138.
Use an AntiVirus program – Again, a very simple point, to keep your AntiVirus of choice running and updated.
Be cautious of Unknown Emails, Websites or Apps – Most ransomware uses phishing emails to get users to click on links. Always use caution when viewing uninvited documents or links.
Backup your files regularly – This is always a great idea, to be prepared in the event your hard drive dies or you are hit with Ransomware, you have something to go back to.
Keep up to date on your security knowledge – Cyberattacks and vulnerabilities appear in the news every day for popular software and services, such as Android, iOS, Windows, Linux and Mac. The more you are in the know on these activities in the Cyber World, this keeps your knowledge up to date and allows you to be more aware about these vulnerabilities and ways to prevent/avoid them.
As always, we welcome comments and feedback in the comments section below.