By now everyone has heard about the ransomware called Wanna, WannaCry or WCry spreading across the globe and locking down the data of some of the world’s largest companies. The malware appears to exploit an SMB flaw that Microsoft provided a patch for in March 2017. You may have heard that the worm has been successfully stopped and you have nothing to worry about, but the vulnerability still exists on millions of systems and can be used again. Now is not the time for complacency; it is time for action. Tenable has several ways to help you know where your business is exposed so you can make informed decisions about what to do first to detect WannaCry and protect your business.

Take action now

If you are a Tenable SecurityCenter® customer, here are three things you can do now before the next variant of WCry appears and before it encrypts the files on your machines.

1. Hunt for infected machines: Check for DNS queries and Scan for Malware.

The first version of WCry that spread across the globe performs a DNS lookup when it initializes; luckily, the Passive Vulnerability Scanner® (PVS™) can record DNS queries on your network. You can apply the following filters in Event Analysis view to hunt for hosts that send queries to this domain:

Type: dns

Syslog Text: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea

Timeframe: Last 7 Days

After you apply the filter, change the view tools to Source IP Summary. If you have any host that sends queries to this domain, it has most likely been compromised. You should disconnect that machine from the network and take appropriate action.

Note: There are reports of some organizations attempting to block this domain at their firewalls, assuming this is a CnC domain. Don’t do that! The domain has been sinkholed and is actually a kill switch for the malware. If the malware can successfully reach that domain, it terminates - so don’t block access.

If you already have credentialed scans or Nessus Agents in place, detection is even easier; just use the Malware Scan Policy; machines infected with WCry will be reported under plugin 59275.

2. Hunt for infected machines by lateral movement.

The WannaCry ransomware spread so quickly because once it infects one machine, it scans for any other machine with port 445 open, and then infects that target. With SecurityCenter, you can search for any hosts that are scanning for port 445, by applying this filter:

Destination Port = 445

Timeframe = Last 7 Days

Using the Connection Summary tool you can identify hosts that are connecting to other hosts using port 445. For example, in the image below, one host has 1650 events using port 445 with another host. You may need to investigate a situation when the same host is talking to several other hosts. You can enhance these results by using Assets or subnets as additional filters.

3. Once your systems are clean, patch and scan.

If your environment is now clean, the best way to prevent a WCry infection is to apply patches and disable SMBv1. Tenable has several plugins that can detect if a machine is vulnerable to MS17-010:

An ounce of prevention

Most ransomware attacks are caused by exploits of known vulnerabilities that remain unpatched on systems. This is especially true for systems running outdated and unsupported operating systems. By patching all your assets regularly and creating regular backups of your data, you can help prevent ransomware attacks.

Written by Disney Cheng, Tenable’s Solution Architect, Asia Pacific Region