If you have been paying any attention to the news about ransomware attacks that have been popping up lately, you will notice that one called “WannaCry” or “WanaCrypt0r”. This one has been aggressive in its attack, by using the SMB Protocol and exploiting the EternalBlue(CVE-2017-0144) on Microsoft Windows systems.
Microsoft has published details about the WanaCryp0r attacks here:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
The good news is that Palo Alto Networks Next Generation Security Platform automatically created, delivered and enforced protections to defend from this attack.
Our very own Threat Prevention group has a blog covering this topic here:
UPDATED: Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks
The Live Community team would like to help provide all the information needed to help configure your Next Generation Firewalls to be secure from attacks.
Palo Alto Networks can help prevent this ransomware attack with the following technologies:
- WildFire – Automatically detects and blocks malicious content from being delivered to users.
Please see the following links about WildFire: Submit Files for WildFire Analysis,Wildfire Configuration, Testing, and Monitoring , How to Configure WildFire and View Logs(Video)
- Threat Prevention – Enforces IPS signatures (content release: 688-2964) for the SMB vulnerability exploit (CVE-2017-0144 – MS17-010) used in this attack. Threat Prevention also deployed anti-malware signatures, which customers can reference on ThreatVault - https://threatvault.paloaltonetworks.com (includes threat names: “Trojan-Ransom/Win32.wanna.a” and "Trojan-Ransom/Win32.wanna.b”).
- URL Filtering – By monitoring URLs, suspicious URLs can cause protections to be enforced. Please see the following links about configuring URL filtering: Advanced URL Filtering, How to Configure URL Filtering
- DNS Sinkholing – Being able to detect malicious URLs, DNS Sinkhole can essentially “trap” potentially dangerous traffic. Please see the following links for more information. How to Configure DNS Sinkhole, How to Verify DNS Sinkhole Function is Working, Video Tutorial: How to Configure DNS Sinkhole)
- Traps – Endpoint protection that helps prevent the execution of unwanted malware. Our Traps group has released their own blog describing how Traps protects against WannaCry here: Traps Protections Against WanaCrypt0r Ransomware Attacks
For more information about Traps, please visit the Endpoint articles here: Endpoint-Articles or view and participate in the Discussion area here: Endpoint-Traps-Discussions.
- AutoFocus – Used to track threat attacks via the tag - WanaCrypt0r
- GlobalProtect – Extends the protection from WildFire and Threat Prevention protections to remote users. For more information about GlobalProtect and how to configure it, please see the resource guide here: GlobalProtect resource guide
- LightCyber Magna - detects WanaCrypt0r encrypting mapped network drives, command and control (C2) communications, and running processes on endpoints. Magna can enforce blocks of compromised machines through native engineering with Palo Alto Networks Next-Generation Firewalls. Magna Pathfinder can also terminate WanaCrypt0r processes on endpoints.
The first link is to an article that describes in detail about how to configure ransomware prevention:
Best Practices for Ransomware Prevention
Other ways to protect yourself
As far as what else can be done, here are 8 ways that you can help protect yourself from WannaCry and other ransomware:
- Always install the latest Security Updates – It goes without saying to stay updated, as a lot of vulnerabilities are caught and patched almost daily. By keeping your machine updated, you prevent those vulnerabilities from being a risk on your machine.
- Patch SMB vulnerability – Microsoft has released specific SMB patches to protect against this attack here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Also, Microsoft has even gone so far to release SMB patches for Unsupported versions of Windows (Windows XP, Vista, Server 2003 and Server 2008) here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Note: Please note that Windows 10 users are not vulnerable to this SMB vulnerability at this time.
- Disable SMB – SMB in question is Server Message Block version 1. It goes without saying that if you are not using SMB inside of your network, to please disable it. To disable SMB, please follow these 4 steps:
1. Inside the Windows Control Panel, click ‘Programs’
2. Open ‘Features’ and click ‘Turn Windows Features on and off.”
3. Now scroll down to find ‘SMB 1.0 /CIFS File Sharing Support’ and uncheck it.
4. Click OK, close control panel and restart the computer.
- Enable hardware or software Firewalls and block SMB ports – It is vitally important to always have a firewall enabled. If you do use SMB inside of your network, then you can configure your firewall to block access to SMB ports on the Internet. SMB operates on TCP port 137, 139 and 445, and UDP port 137 and 138.
- Use an AntiVirus program – Again, a very simple point, to keep your AntiVirus of choice running and updated.
- Be cautious of Unknown Emails, Websites or Apps – Most ransomware uses phishing emails to get users to click on links. Always use caution when viewing uninvited documents or links.
- Backup your files regularly – This is always a great idea, to be prepared in the event your hard drive dies or you are hit with Ransomware, you have something to go back to.
- Keep up to date on your security knowledge – Cyberattacks and vulnerabilities appear in the news every day for popular software and services, such as Android, iOS, Windows, Linux and Mac. The more you are in the know on these activities in the Cyber World, this keeps your knowledge up to date and allows you to be more aware about these vulnerabilities and ways to prevent/avoid them.
As always, we welcome comments and feedback in the comments section below.
Thanks for reading.
Stay secure!
Joe Delio
