This post is also available in: 日本語 (Japanese)
The WanaCrypt0r ransomware attacks that began on Friday, May 12, 2017, continue to impact systems of public and private organizations worldwide. In this post, I will outline the protections that Traps advanced endpoint protection delivers to our customers against this ransomware attack, as well as any actions our customers may need to take to bolster protections against WanaCrypt0r.
Although the initial infection vector for WanaCrypt0r ransomware (a.k.a. WannaCry and WCry) is still under investigation, many attacks observed, so far, have compromised at least one endpoint in a network before spreading to other systems by exploiting a vulnerability in the SMB protocol on Microsoft Windows systems (CVE-2017-0144, “EternalBlue”). Microsoft patched this vulnerability in March and took the extraordinary step of also covering such systems as Windows XP that are no longer receiving security patches.
On unpatched Windows systems where this SMB protocol vulnerability can be exploited, the initially compromised endpoint remotely delivers the WanaCrypt0r sample to the target host system and executes the malware. The newly compromised endpoint will then repeat this cycle with other hosts it can reach on the network, propagating the attack in the process. Data files on each compromised endpoint are also encrypted to extract ransom money from victims.
The multi-method prevention approach of Traps delivers several protections that block the malware execution in the early stages of the WanaCrypt0r attack. In cases where the initial malware is successfully delivered to the endpoint (see below for how our Next-Generation Security Platform can prevent this), Traps automatically blocks the attacker’s attempt to execute the WanaCrypt0r malware.
Most Traps customers don’t need to make any changes to their default policies and configurations to prevent WanaCrypt0r attacks. Traps v4.0 (released in May 2017) and v3.4 (released in August 2016) prevent the execution of WanaCrypt0r on Windows endpoints through the following malware prevention methods:
In addition to the malware prevention methods above, the Child Process Protection introduced in Traps v4.0 prevents several techniques used by WanaCrypt0r to propagate across a victim’s network. Palo Alto Networks has released a content update (#15-1078, available to our customers on the Support Portal) to automate the process of applying specific Child Process Protection policies in Traps v4.0. We recommend that customers apply this update when possible.
As an integral component of the Palo Alto Networks Next-Generation Security Platform, Traps protections are continuously strengthened by the threat intelligence our customers share with the platform. Customers who use Traps in a stand-alone deployment (where no other Palo Alto Networks technologies are deployed) benefit from the platform by blocking variants of WanaCrypt0r that have been encountered first by our other customers.
In addition to these strong default protections, customers who deploy Traps along with other components of the Next-Generation Security Platform can block WanaCrypt0r ransomware across the entire attack lifecycle through multiple complementary prevention controls. These controls are outlined in the blog post “Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks.”
The WanaCrypt0r ransomware attack is still evolving. New and updated variations of this ransomware may still be discovered in the near future. I will update this post with additional details about Traps protections as new information becomes available.
Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017
Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.