Enhancing Security After WannaCry

By: Larry Loeb| - Leave a comment


The Trojan and worm ransomware combination called WannaCry shocked the global community by spreading rapidly and wreaking havoc on computer systems. It was only by sheer luck that a U.K. security researcher inadvertently stopped the initial spread by registering a domain name that the malware was programmed to check as a kill-switch mechanism. Because a deep deconstruction hadn’t been performed at that point, the researcher had no idea that this registration would stop the attack. However, this method did stop WannaCry from finding a much wider distribution than it might have otherwise obtained.

Server Message Blocks Opened the Door

WannaCry is built on a remote code execution flaw found in the Windows server message block (SMB) protocol first introduced in Windows 2000 with the direct hosting of SMBs over Transmission Control Protocol/Internet Protocol. The insecure SMBv1 was replaced by SMBv2 in 2006, ZDNet reports. However, for compatibility purposes, this version may still be enabled by default on older systems from Vista on up, but it was shown to have an oversized effect on Windows 7 systems that were still in use.

WannaCry is built from a pair of National Security Agency tools called EternalBlue and DoublePulsar, which were let loose by the Shadow Brokers group. EternalBlue allows execution of arbitrary code on Windows systems using SMB-crafted packets, while DoublePulsar is a Trojan that establishes a back door. Between the two, they let the ransomware payload run free.

The dual mechanism ensures that if one Windows computer on a network becomes infected, all others on the same network will become compromised as well. The payload deletes the Volume Shadow files on the infected system after it encrypts files. That means the local Windows backup won’t work.

Learning From WannaCry

If a business must use Windows, it has to actively maintain the system. Turn off the SMBv1 configuration checkbox on all Windows machines that are vulnerable. Even though Microsoft will try to eliminate the protocol in upcoming versions of Windows, that will do nothing for systems that are already deployed. This vulnerability illustrates how crucial it is to constantly patch and maintain the Windows OS.

Next, the strategy of maintaining a system so that all parts of the end result are compatible does not hold water anymore — if it ever did. The risk of catastrophic failure is simply too great. Other attackers will undoubtedly use the same kind of exploit in the future, and vulnerable systems will be compromised. Problems with maintenance changes affecting other parts of a system must be quickly resolved.

Organizations must also realize that the costs to maintain software for security come with the territory of doing business; they cannot be avoided and deferred. U.S. News reports that many organizations are panic-buying cybersecurity services in the wake of this outbreak. This cost would have undoubtedly been lower if steady, routine security practices had already been performed.

This event may finally force businesses to face their security needs and adapt their current practices. As threats evolve, so must enterprise responses.

Topics: , , ,