Detecting and Responding to WannaCry Ransomware

Threat

The WannaCry ransomware cryptoworm and its variants, have been at the center of cybersecurity efforts since 2017 when WannaCry launched a worldwide cyberattack. The attack targeted exposed systems that were running non-patched versions of the Microsoft Windows operating system either due to having reached end-of-life (EOL), or because of poor patching practices.

WannaCry proved to be extremely efficient in successfully infecting systems not protected by the Microsoft MS17-010 security update. It exploited systems using EternalBlue and then used the compromised systems to swiftly spread itself even further. The success rate combined with the worm nature of the ransomware had the attacker achieve a rarely seen speed of infection, resulting in a significant impact to businesses on a global scale.

WannaCry encrypted the systems data, rendering the system unusable and the data unrecoverable until the victim made a ransom payment, typically in cryptocurrency. WannaCry and the resulting ransom collections created a huge windfall for the attacker, and there have been a multitude of variances of the same ransomware since the initial launch. The result was in a strong trend by attackers to utilize ransomware more frequently to commercialize their malicious intent and skillsets.

Scenario

At the launch of the WannaCry campaign, NTT Security was extremely successful in protecting its clients from further compromise. With its advanced analytics capabilities, NTT Security successfully detected and responded to WannaCry infections roughly 10 hours before WannaCry was even recognized as an ongoing campaign and named by the cybersecurity industry.

With its sophisticated detection ability, NTT Security detected WannaCry by applying a combination of advanced analytics techniques designed to monitor for abnormal behaviors including those typically associated with malware. This ability to create a timeline (“BOOST”) to track a multitude of compromise indications and to analyze these dynamically and holistically, resulted in a robust and accurate detection of WannaCry for multiple clients.

Consequences Avoided

Sophisticated advanced analytics and threat intelligence curated from a truly global service delivery have enabled NTT Security to swiftly and accurately, detect and respond to WannaCry and ransomware families ever since. This same protection, once reserved for enterprise clients, is now included with CTS-AI allowing subscribers to successfully minimize the impact of WannCry and other ransomware attacks.