Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WannaCry Ransomware Attack: What to Do Now

5,302 views

Published on

View on-demand webinar: http://bit.ly/2qoNQ8v

What you need to know and how to protect against the WannaCry Ransomware Attack, the largest coordinated cyberattack of its kind. WannaCry has already crippled critical infrastructure and multiple hospitals and telecommunications organizations, infecting 100s of thousands of endpoints in over 100 countries. In this on-demand webinar, we discuss the anatomy of this unprecedented attack and IBM Researchers share expert insights into what you can do now to protect your organization from this attack and the next one.

Published in: Technology
  • Thanks for Valuable information. I Hope this article also will help you to get some more knowledge. http://blog.unisecure.com/site-falls-victim-ransomware/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Thank you very for the insightful webinar. I learnt a lot
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Good overview of the current and possible future situations
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Thanks for the useful information shared in the webcast
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

WannaCry Ransomware Attack: What to Do Now

  1. 1. WannaCry Ransomware WHAT TO DO NOW Diana Kelley May 16, 2017 Executive Security Advisor IBM Security Kevin Albano Jim Brennan X-Force IRIS Global Lead for Threat Intelligence IBM Security Director of Strategy and Offering Management IBM Security
  2. 2. 2 IBM Security Overview •  What is WannaCry? •  The anatomy of the attack •  How to protect my organization NOW •  Back to basics •  Best practices •  Next steps
  3. 3. 3 IBM Security What is the WannaCry ransomware attack? •  Began on May 12 but leverages previously known exploits •  Infiltrates endpoints and encrypts all the files, demanding a ransom payment $300 USD in bitcoin •  Exploits a known Windows vulnerability that enables remote code execution ̶  Microsoft Windows patch was available in March; those who didn’t address this patch are vulnerable •  Crippled at least 100K organizations across multiple industries in over 150 countries •  200K+ infected endpoints
  4. 4. 4 IBM Security What makes WannaCry so sophisticated? •  The malware uses highly potent NSA exploits that were allegedly leaked by “ShadowBrokers” in April 2017 •  Exploits a flaw in the Server Message Block (SMB) that enables it’s worm-like propagation •  Uses strong, asymmetric encryption, employing the RSA 2048-bit cipher to encrypt files •  Uses a modular architecture which is used in legitimate software and in complex malware projects like banking trojans
  5. 5. 5 IBM Security WannaCry: The Anatomy of the Attack •  Crippled at least 100K organizations across multiple industries in over 150 countries •  200K+ infected endpoints •  $60,000 paid so far but will rise and paying ransom is not recommended •  Ransomware slowed down by the accidental discovery of a killswitch •  However new variants have emerged with no killswitch or different domains LATEST INTEL ROOT CAUSE FIRST STAGE EXECUTED PROPOGATION STEP 11 2 3 PROPOGATION STEP 24 invokes SMB protocol for port scanning Attempts ‘DoublePulsar’ backdoor to send WCry to target endpoint , propogates ‘EternalBlue’ scans servers for DoublePulsar’; If not found, delivers Wcry and propagates DROPS TOR CLIENT INITIATES ENCRYPTION RANSOWARE NOTICE6 7 Launches Tor client on infected endpoint, anonymizing communications Encrypts 160 file extensions and deletes shadow copies 5 Displays ransomware message with instructions to decrypt ?
  6. 6. 6 IBM Security How can I protect my organization now? Scan for DOUBLEPULSAR during cleanup and confirm anti-virus signatures are up to date Reduce your attack surface by ensuring that all Windows systems are patched (MS17-010) Block SMB ports (particularly ports 139 and 445) from external hosts; Block UDP ports 137 and 138 from the local network to the WAN Disable SMBv1 and SMBv2 and only permit SMBv3 connections by policy on clients Back-up critical data on a regular basis 1 2 3 4 5
  7. 7. 7 IBM Security PATCH Apply critical vulnerability patches to reduce attack surface BLOCK Protect networks from advanced threats and malware MONITOR Leverage deep security analytics to correlate disparate data, detect emerging threats RESPOND Orchestrate an incident response plan Security best practices
  8. 8. 8 IBM Security Fragmented defenses, slow to respond Insufficient Visibility Sporadic Endpoint Hygiene Silos of Teams and Tools Patching 101: Where endpoint tools are challenged PATCH
  9. 9. 9 IBM Security Ensure ability to discover and report on all endpoints (including unmanaged ones) regardless of location and bandwidth Automate patch deployment to impacted endpoints wherever possible Utilize closed-loop verification to ensure patch success Apply critical vulnerability patches enterprise wide to reduce attack surface 1 2 3 PATCH Enable a state of continuous policy enforcement across endpoints to reduce attack surface4
  10. 10. 10 IBM Security Deploy network protection devices in-line Ensure you have IP reputation and URL filtering feeds to enable automatic blocking of malicious site access Ensure network protection signatures, firmware are up-to-date Block malware and advanced threats from entering into your network 1 2 3 BLOCK
  11. 11. 11 IBM Security Detect emerging threats by leveraging deep security analytics MONITOR Get a common, correlated view with prioritization of security analytics relevant logs, network traffic flows and user behavior Deploy network security devices to detect malicious software and exploit activity in real-time Use cloud-based malware analysis service with automatic send/ receive capability for rapid for threat identification 1 2 3 Leverage cognitive to go beyond structured data limitation and incorporate the latest global research insights on active threats4
  12. 12. 12 IBM Security Get help from highly skilled experts with incident management and security intelligence experience to help you during a crisis Preparation is paramount; Develop an incident response plan and test it to align people, processes and technology Ensures IR processes are consistent, proven, easy to refine, and compliant Identify, detect, contain and remediate threats before they spread and cause more damage Transform incident response to align people, process, and technology Enable decisive action through complete IR orchestration and automation RESPOND 1 2 3 4 5
  13. 13. 13 IBM Security PATCH Apply critical vulnerability patches to reduce attack surface (BigFix) BLOCK Protect networks from advanced threats and malware IBM Security is here to help •  QRadar w/ Watson •  X-Force Exchange •  X-Force Malware Analysis •  QRadar Network Security (XGS) •  BigFix •  Resilient •  BigFix •  X-Force IRIS MONITOR Leverage deep security analytics to correlate disparate data, detect emerging threats IBM Managed Security Services RESPOND Orchestrate an incident response plan
  14. 14. 14 IBM Security Next steps •  Follow the updates on X-Force Exchange •  Refer to X-Force Ransomware Response Guide to evaluate organizational readiness •  Learn more about protecting your organization: sign up for our webinar series to learn more about monitoring, patching, blocking & responding For immediate help, call the IBM X-Force Incident Response Hotline USA +1-888-241-9812 Global +1-312-212-8034
  15. 15. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU

×