In just four hours, WannaCry ransomware spread across the UK and Spain, halting operations at factories, hospitals, and communications companies in its wake. Since it burst onto the scene on Friday, May 12th, it has continued its global spread, infecting over 230,000 systems in over 100 countries. The global effect was immediate: assembly lines fell silent, patients were advised to seek medical care only for acute medical conditions, and internal speaker systems were blasting out a warning to all employees to immediately shut down their computers.
The panic is real, and the ransomware we all knew was coming is here. Fortunately, SailPoint stands ready to help protect data from ransomware and other forms of malware.
In this blog post, we will update you real-time on how SailPoint SecurityIQ can help alleviate the WannaCry threat.
What is WannaCry? (Technical Overview)
Know thy enemy—here’s the background you need on this quickly spreading ransomware:
WannaCry is based on exploits that were originally developed by the National Security Agency and were subsequently leaked to the public in mid-April by a group known as the Shadow Brokers.
The main exploit utilized by WannaCry was preemptively patched by Microsoft on March 14, 2017 (MS-17-010). However, the rapid spread of WannaCry shows how many organizations have yet to apply this patch across all systems in the enterprise.
To maximize its potential for profit, WannaCry not only encrypts files using a strong form of encryption (RSA-2048), but it also simultaneously replicates itself onto as many systems as possible via the Windows network file sharing protocol (SMB) facility. This multifaceted approach belies the sophistication of WannaCry, and its worm-like deployment pattern, helping to explain its rapid spread across vulnerable computers and networks.
For those affected, the starting ransom is $300 per device, payable in bitcoin. Any delay in payment causes this number to increase rapidly to a maximum of $600. Thus far, researchers estimate over the course of the first few days of its release, WannaCry has generated approximately $50,000 in bitcoin transfers (which is being monitored in an attempt to apprehend those responsible.)
WannaCry Ransomware is Evolving Rapidly
As with many things in life, change is the only constant, and ransomware is no exception. Ransomware outbreaks like WannaCry dominated the malware economy in 2016, with a 36% rise in attacks and the potential for tens of thousands of attacks per day. As the ransomware market expands, this form of malicious software is rapidly evolving—modifying its delivery, concealing its actions, and attempting to avoid security countermeasures such as sandboxing.
WannaCry, for example, originally contained a “kill switch” that attempted to resolve a previously unregistered domain. Acting quickly, a security researcher purchased the domain on May 12th and it subsequently turned into a sinkhole, limiting the spread of the original version of the malware. However, a new version of WannaCry has already been released which removes this limitation, and it has restarted its rapid spread across unpatched systems.
Ultimately, ransomware is best defended with an identity-enabled security strategy that provides defense in depth for the enterprise. This includes such components such as network security to prevent infiltration and email security to reduce phishing, along with consistent data backups to prevent data loss. As part of this strategy, a consistent configuration management program that ensures that all appropriate Windows security patches are applied and resident systems are up-to-date will prevent this iteration of WannaCry from spreading from machine to machine within an organization. However, the rapid evolution of WannaCry drives home the need to also have a solution in place that can detect ransomware in ways that are not specific to any particular malware variant.
How to Detect WannaCry and other Ransomware with SailPoint
SailPoint Data Access Governance solution, SecurityIQ, defends against a wide range of ransomware such as WannaCry through the identification and monitoring of unstructured data access and use on network and cloud-based file shares:
- SecurityIQ assists customers in applying the principles of “least privilege” to minimize access rights and decrease the potential impact of any single infection
- SecurityIQ monitors activities on file shares, and can use behavioral pattern matching to identify malicious behavior such as the systematic modification of file suffixes as ransomware encrypts existing data
- SecurityIQ initiates actions to terminate any behavior deemed malicious, stopping ransomware in its tracks and limiting damage to sensitive systems
- SecurityIQ alerts IdentityIQ to suspend the identity and its accounts and can also certify all access for that specific identity
No Ransom No Cry
Employing SailPoint as part of an identity-enabled security strategy helps mitigate the impact of ransomware such as WannaCry by:
- Stopping ongoing encryption of valuable data accessible by the user
- Disabling network access so that the ransomware’s spread is impeded
- Preserving valuable data for forensics that can help identify the point of origin and spread of the ransomware
Protect Your Data Now from WannaCry Ransomware
WannaCry’s rapid spread has shown the importance of acting quickly and decisively to protect sensitive data from the ravages of ransomware. Utilizing SailPoint Data Access Governance today can help prevent data loss and save you from becoming the next ransomware victim tomorrow.
Already a SecurityIQ customer?
Check out this video to ensure that you’re configuring SecurityIQ adequately to address ransomware like WannaCry.
Not Yet a SecurityIQ customer?
Contact us to discuss how SailPoint can help you quickly against the WannaCry Ransomware and other future similar threats. WannaCry is only the latest wave in the rising tide of ransomware, and its efficient attack means that others will seek to emulate its success. While WannaCry may be the long-predicted massive ransomware attack that we were waiting for, it certainly will not be the last.