WannaCry Ransomware Prevention

Reply
L0 Member

WannaCry Ransomware Prevention

Hi,

 

Are there any recommendations on blocking this exploit via Traps 4.0?

 

Thanks

L0 Member

Re: WannaCry Ransomware Prevention

Dear PAN team,

 

How about protection against these newly discovored ransomware family:

 

1. WannaCry

http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html

 

2. Jaff

http://thehackernews.com/2017/05/decrypt-jaff-ransomware-files.html

 

Does Palo Alto networks provide protection against this new ransomware?

 

I can't find any signatures of this ransomware in PAN threat vault.

 

TQ

L4 Transporter

Re: WannaCry Ransomware Prevention

@ADias@azman_ansar 

Traps will block Wcry or WannaCry using Local Analysis (When there is no connection to ESM) or via WildFire if Connection to ESM is established using only default policies.

 

If you want to put especific restrictions in place you can also create a malware restriction policy (Policies > Malware > Restrictions) to the following file paths:

%AppData%\@WanaDecryptor@.exe
%AppData%\wanacry.exe
%homedrive%\@WanaDecryptor@.exe
%homedrive%\wanacry.exe
%Local%\@WanaDecryptor@.exe
%Local%\wanacry.exe
%LocalLow%\@WanaDecryptor@.exe
%windows%\wanacry.exe
%windows%\@WanaDecryptor@.exe
%userprofile%\Desktop\wanacry.exe
%userprofile%\Desktop\@WanaDecryptor@.exe
%LocalLow%\wanacry.exe
*.wncry.
@WanaDecryptor@.exe
wcry.exe
wanacry.exe

 

For further information on the IOC paths above: https://otx.alienvault.com/pulse/5916314d827e24047d7007d9/

 

Also, if you don't have it already, I would advise to block executables from running from the following any of the following locations %AppData%, %LocalAppData%, %temp%.

 

Legitimate applications don't typically execute from locations such as %AppData%, %LocalAppData%, %temp% or others. Best practice is to not allow any executables to execute from these locations, as it is a typical malware bahaviour, such as ransomware

A notable behavior used by several Ransomware, including Cryptolocker, is to run its executable from %AppData%, %LocalAppData% or %%temp, and it is no different with WannaCry.

 

Other things you can do is to prevent malicious DLL loading by utilizing DLL Hijacking Protection EPM Background.

Some of the recent attacks are using a different attack method – these attacks are loading DLLs (by either using exploits, macros or other scripts) as the delivery method for the malicious code.

Traps can block loading DLLs by certain processes from certain locations on the system, and these methods can be utilized to prevent attacks that use malicious DLL loading.

 

Instructions

 

Create 2 DLL Hijacking Protection rules:

  1. Make sure the following processes are added to the ‘process management’ screen and are defined as ‘protected’.
  2. Protected processes: cscript.exe, wscript.exe, mshta.exe. Load Blacklist: ’*\System\ado*;*\Windows\temp\*;*\Downloads\*;*\Temporary Internet Files\*’
  3. Protected Process: rundll32.exe. Load Blacklist: ‘*\Windows\temp\*;*\Downloads\*;*\Temporary Internet Files\*;*\Appdata\Local\Temp\*’

 

Make sure to change to other attributes (‘No Current Dir Load’, ‘No Remote Load’, ‘No Removable Drive Load’) to off. Changes to ‘Load Exclusions List’ should be made only with help from Palo Alto Networks support.

 

These rules are not a part of Traps 4.0 default policy (under content update 13), since these rules are more prone to creating false events in certain environments. In case these rules are being used, and they are creating false positive events – it is highly recommended to whitelist the folder or DLL being loaded or remove the rule from the associated process

  

I hope this helps.

L1 Bithead

Re: WannaCry Ransomware Prevention

Hi Guys,

 

I've tried Traps 4.0 with default policies and content 14 in a Windows 7 VM and WannaCry .exe sample

Traps blocks successfully WannaCry even without ESM Comunication (without Wildfire, in this case) !

 

So, all Traps customer are safe by default.

 

Regards,

Paulo Raponi

Highlighted
L1 Bithead

Re: WannaCry Ransomware Prevention

@pauloraponi do you have local wildfire analysis enabled? or which EPM or MPM detected it? Thanks!

L1 Bithead

Re: WannaCry Ransomware Prevention

I've tested with all ESM default policies.

 

I'm disabled my VM (agent) communication with external network. So, Traps are blocking WannaCry using Local Analisys. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!