A major ransomware attack using a leaked NSA exploit known as “WannaCry” has hit more than 150 countries since May 12. More than 200,000 infections globally have been detected and the attack, which uses the WannaCry (WanaCrypt0r 2.0) ransomware, continues to spread. WannaCry utilizes the ETERNALBLUE exploit targeting newly disclosed vulnerabilities (MS17-010). Once leaked, it took only 28 days for this exploit to be used in a full-scale cyber attack. Organizations that scan for vulnerabilities only monthly or less frequently can still be at risk. During this webcast (https://www.brighttalk.com/webcast/11673/261293) Mark Butler, CISO at Qualys and Jimmy Graham, Director of Product Management for Qualys ThreatPROTECT and AssetView, show you how to: • Patch and implement other mitigations for WannaCry • Detect and get full visibility on impacted assets for prompt remediation • Institute threat-prioritized remediation processes to mitigate current and future risks Qualys ThreatPROTECT can detect and identify patches for the vulnerabilities being exploited by ETERNALBLUE and shield your organization’s business-critical data from attacks. Sign up for a free 30 day trial and get unlimited scans. https://qualys.com/wannacry-trial

1. How to Rapidly Identify Assets at Risk to
WannaCry Ransomware
Mark Butler, CISO, Qualys
Jimmy Graham, Director of Product Management, Qualys
May 17th, 2017

2. Speakers
Mark Butler
Chief Information Security Officer,
Qualys
Jimmy Graham
Dir of Product Management,
ThreatPROTECT, Qualys
2

3. Agenda
Timelines
Impacts
Remediation / Workarounds
Detection / How we can help?
Prioritization / How we can help?
Data Analysis / Takeaways
3

4. WannaCry and EternalBlue
EternalBlue is an exploit for SMB
1.0 created by the NSA and leaked
by a hacking group known as The
Shadow Brokers
WannaCry is a ransomware program
that spreads using the EternalBlue
exploit
4

5. Timeline
Mar 14, 2017 – Microsoft releases MS17-010
Apr 14, 2017 – The Shadow Brokers release
stolen NSA exploits dump
May 12, 2017 – WannaCry spreads globally,
28 days after exploits are released
May 13, 2017 – Microsoft releases patches
for EOL Windows
5

6. Impact
200,000+ infections, 150+ countries
Major hospitals in the UK diverted patients due to
systems being down
Departure and arrival screens displayed the malware
at train stations in Germany
Gas stations in China were unable to process credit
transactions, forcing them to switch to cash
Attackers have received ~$70k in bitcoin
6

7. What happened next?
A kill switch domain was registered, stopping the spread
Within 48 hours, a new variant appeared with a different kill
switch, also registered to block infections
“WannaCry 2.0” has now been released with no kill switch
Other ransomware, such as Uiwix, are beginning to use the exploit
7

8. Remediation
Install the Microsoft MS17-010 update for supported versions of
Windows
Windows Vista, Windows 7, Windows 8.1, Windows 10
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012,
Windows Server 2016
Install KB4012598 from Windows Update for End of Life (EOL)
versions of Windows
Windows XP SP3, Windows 8, Windows Server 2003 SP2
8

9. Workarounds
For systems that cannot be patched, Microsoft has provided a workaround.
This should be seen as temporary, and not complete mitigation.
No workaround
Windows XP SP3 and Windows Server 2003 SP2
Disable SMBv1
Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10,
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012,
Windows Server 2016
https://support.microsoft.com/en-us/help/2696547/
9

10. Detecting Vulnerable Assets
Complete visibility of your
environment
Leverage both scanning and
agent deployments
Visualize the vulnerabilities using
dashboards and widgets
Prioritize key assets for
remediation targeting
10

11. Qualys Detections
91345 - Microsoft SMB Server Remote Code Execution Vulnerability (MS17-010) and Shadow Brokers
Qualys added this QID on March 14, following Microsoft’s March security patches
When using auth, this QID looks for missing patches, both MS17-010 and KB4012598
Without auth, the QID will attempt to determine vulnerability status remotely
91360 - Microsoft Windows SMBv1 and NBT Remote Code Execution – Shadow Brokers (ETERNALBLUE) MS17-
010
Qualys added this QID immediately following the Shadow Brokers release on April 14 to also detect the vuln
exploited by ETERNALBLUE across all Windows platforms
This QID looks for missing patches, both MS17-010 and KB4012598
70077 - Double Pulsar Backdoor Detected (Shadow Brokers)
Detects the presence of the DOUBLEPULSAR backdoor that WannaCry can leverage to propagate
1029 - WannaCrypt Ransomware Detected
Detects instances of WannaCry, and can be used with Continuous Monitoring to get alerts on new infections
11

12. 12
Qualys AssetView
Bring IT & Security Together
Unified view of IT & security data
Search all hardware & software inventory
information in seconds
Simple but powerful customizable
dashboards

13. 13

14. Data Analytics
An analysis of Qualys data shows positive progress, but there is still work to do:
• 54% of Windows hosts are still unpatched
• 5.78% of detected Windows installations are EOL
Qualys will be introducing the following capabilities within our solutions:
• Patch Management for instantly deploying critical patches such as MS17-010
• Qualys IOC for active detection and alerting on malware such as WannaCry
• Enhancements to ThreatPROTECT to include vulnerability prediction
14

15. Takeaways
• Focus on integrated security solutions that gives you endpoint, network and system
visibility so you can respond effectively
• Timely and complete patch and vulnerability management successfully prevents
WannaCry
• Cycle Time: 28 days from exploit release to dangerous malware means that 30-day
vulnerability scan cycles are not adequate
• Complete visibility is key. All assets must be covered by patch and vulnerability
management, including private cloud, back-end or legacy corporate environments which
may not have the attention of production or commercial environments.
• Resiliency: Have a thoroughly tested data backup and disaster recovery plan in place for
ransomware attacks.
15

16. Thank you
Questions?
mbutler@qualys.com | jgraham@qualys.com
Free trial: qualys.com/wannacry-trial