Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks

Scott Simkin
By

Category: Threat Prevention
 Tags: , , , ,

What Happened:

On Friday, May 12, 2017, a series of broad attacks began that spread the latest version of the WanaCrypt0r ransomware. These attacks reportedly impacted systems of public and private organizations worldwide. Our Next-Generation Security Platform automatically created, delivered and enforced protections from this attack.

How the Attack Works:

The WanaCrypt0r attacks begin in an organization through a phishing attack via a phishing email that includes a malicious link or PDF document. A successful phishing attack results in the WanaCrypt0r ransomware on the target system and an attempt to spread the WanaCrypt0r ransomware more broadly on the network using the SMB protocol to attack the EternalBlue vulnerability (CVE-2017-0144) on Microsoft Windows systems. This vulnerability was addressed by Microsoft in March 2017 with MS17-010. This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017. Organizations that have applied MS17-010 are not at risk for the spread of WanaCrypt0r across the network. Because MS17-010 addresses a remotely exploitable vulnerability in a networking component and is now under active attack, we strongly urge making deployment of this security update a priority.

Preventions:

Palo Alto Networks customers are protected through our Next-Generation Security Platform, which employs a prevention-based approach that can automatically stop threats across the attack lifecycle. Palo Alto Networks customers are automatically protected from WanaCrypt0r ransomware through multiple complimentary prevention controls across our Next-Generation Security Platform, including:

  • WildFire classifies all known samples as malware, automatically blocking malicious content from being delivered to users.
  • Threat Prevention enforces IPS signatures for the vulnerability exploit (CVE-2017-0144 – MS17-010) used in this attack: SMB vulnerability – ETERNALBLUE.
  • URL Filtering blocks all known command-and-control URLs: hxxp://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
  • Traps prevents the execution of the WanaCrypt0r malware on endpoints.
  • AutoFocus tracks the attack for threat analytics and hunting via the WanaCrypt0r tag.

  • GlobalProtect: mobile users can extend their Next-Generation Firewall policy to protect remote workers.

For best practices on preventing ransomware with the Palo Alto Networks Next-Generation Security Platform, please refer to our Knowledge Base article.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS