In May 2017, the WannaCry ransomware attack made headlines worldwide, exploiting a vulnerability in Microsoft Windows to rapidly infect over 200,000 computers across 150 countries. This large-scale ransomware attack was attributed to the Lazarus Group, a cybercrime group with alleged links to North Korea. The EternalBlue exploit, leaked from the NSA, was a key component of the attack, enabling WannaCry to spread quickly through networks. Despite its rapid propagation, the behaviors WannaCry performs once inside a network are well-known to security professionals.
Vectra Threat Labs analyzed the inner workings of WannaCry to understand the threat. They found that while the initial infection method may have been novel, the behaviors exhibited by WannaCry are typical of ransomware Vectra has encountered before. This highlights the strength of focusing on detecting ransomware behaviors, rather than relying solely on identifying specific exploits or malware signatures. Vectra customers were already detecting and stopping similar threats long before WannaCry caused global disruption.
How Does WannaCry Work?
Once it infects a machine, WannaCry follows a familiar pattern of reconnaissance and lateral movement across internal networks. The ransomware scans for vulnerable systems, spreads itself using the MS17-010 vulnerability, and ultimately encrypts files, demanding payment in Bitcoin to restore access. While this type of attack can be devastating, the Vectra AI Platform is designed to detect these behaviors, enabling security teams to respond quickly and mitigate damage.
Will Vectra Detect WannaCry and Its Variants?
Yes. Vectra is capable of detecting active WannaCry infections and any future variants that may emerge. It is important to remember that before ransomware like WannaCry can encrypt files, it must first reconnoiter the network to locate file shares. This process requires internal reconnaissance, which Vectra can detect, along with the other behaviors associated with infected hosts.
Vectra’s approach assigns the highest threat and certainty scores to ransomware behaviors, ensuring these critical risks are prioritized for immediate incident response. The advantage for Vectra customers is that these detections were in place before WannaCry struck, allowing early detection of suspicious activity.
Vectra’s Detections of WannaCry-Related Behaviors
Vectra’s AI-driven detections are based on a deep understanding of attacker behaviors. The following are some key behaviors observed in WannaCry infections:
- Command and Control: Communication over the TOR network, often used by attackers to hide their activities.
- Network Scanning: Scanning the internal network and the internet on port 445 for systems vulnerable to the MS17-010 exploit.
- Automated Malware Replication: Once a vulnerable machine is identified, WannaCry automatically replicates itself to spread further.
- File Encryption: Encryption of files on both local drives and mapped network shares.
How Can I Improve My Response to WannaCry and Its Variants?
Improving your response to WannaCry starts with prioritizing alerts based on attacker behavior. Vectra recommends configuring email alerts specific to the following attacker behaviors:
- Outbound Port Sweep: Scanning outbound ports to find vulnerable systems.
- Internal Darknet Scan: Detecting efforts to find hidden or poorly secured internal resources.
- Automated Replication: Identifying attempts by WannaCry to replicate itself across the network.
- Ransomware File Activity: Alerts for encrypted files, signaling active ransomware.
- File Share Enumeration: Monitoring for attempts to locate file shares across the network.
Additionally, alerting on all TOR activity is recommended. While TOR is a legitimate tool for anonymity, it is rarely used in enterprise environments and often signals suspicious behavior.
By monitoring and prioritizing behaviors associated with WannaCry and its variants, Vectra enables security teams to quickly respond to infections, reducing the chance of widespread damage.
What Actions Should I Take if an Attack is Detected?
Vectra puts the power in the hands of security analysts, providing actionable insights that help make quick, informed decisions. If Vectra detects behaviors associated with WannaCry or similar threats, security teams can choose to automate the following responses based on internal policies:
- Quarantine the Host: WannaCry spreads like a worm, so isolating infected hosts from the network can prevent further damage.
- Quarantine Destination Hosts: If Vectra detects Automated Replication, quarantine the destination IPs that the infected host has tried to communicate with.
- Reimage and Restore: For infected hosts, reimage the system and restore files from an offline backup to avoid reinfection.
- File Restoration: In the case of ransomware encryption, restore encrypted files from offline backups to minimize downtime and prevent data loss.
Historical Context: The Lazarus Group’s Role in WannaCry
It’s important to note that WannaCry wasn’t just any ransomware attack. The malware was linked to the Lazarus Group, a state-sponsored hacking group known for sophisticated attacks. This group, believed to be connected to North Korea, has been involved in numerous cyberattacks, including financial institutions, media companies, and critical infrastructure. WannaCry’s rapid spread and the political implications behind it serve as a reminder of the increasingly complex nature of cyber threats.
Preparing for the Next Wave of Ransomware and Advanced Persistent Threats (APTs)
As ransomware continues to evolve, organizations must be ready for new tactics and exploits, but the behaviors—reconnaissance, lateral movement, replication, and encryption—remain consistent. By focusing on real-time behavior detection, security teams can proactively defend against emerging threats, even as attackers change their methods and tools.
Vectra AI is committed to helping organizations stay ahead of sophisticated threats like WannaCry and those carried out by Advanced Persistent Threat (APT) groups. To deepen your understanding of these evolving threats, explore our detailed pages on ransomware groups and APT actors, including:
Each page offers insights into the tactics, techniques, and procedures (TTPs) of these threat actors, helping you build a more resilient defense.
What’s next for you?
With Vectra AI, you have the power to detect and stop sophisticated attacks before they escalate. Contact your Vectra representative or schedule a demo to learn how our platform can strengthen your defense against ransomware and APTs.