|    1-877-JESKELL     |

Some Thoughts on the WannaCrypt Ransomware Attack

May 18, 2017 1:20:26 PM | Security

What Is WannaCrypt?

Over the weekend of May 12th, a ransomware attack was launched infecting computer systems across 150 countries worldwide.  Vital healthcare, transportation systems and businesses were affected across the globe.Image of businessman touching virus alert icon.jpeg

The ransomeware goes by several names but is most commonly referred to as WannaCrypt.  WannaCrypt infects systems via an email attachment.  The files of infected systems become encrypted by the malware, and desktop background messages demand $300 in Bitcoin ransom to decrypt the victim’s files within a certain time period.  Once it infiltrates systems, WannaCrypt takes advantage of a known vulnerability in the Server Message Block (SMB) networking protocol to spread.  Systems that are current with their updates and security patches are protected from WannaCrypt.  Instructions for updating your system can be found here and one of several good articles describing WannaCrypt can be found here.

 

How Does It Work?

One aspect of WannaCrypt that is interesting--and also typical for malware--is that it issues a query during its infection sequence using the following domain name: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.  This is typical for malware since very often the Domain Name System, commonly referred to as DNS, will be leveraged during operation.  Interestingly, WannaCrypt stops its operation if the query is successful, but continues infecting the host system if it fails.  Several security researchers believe that this technique was used to prevent analysis using sandbox techniques.  Fortunately for computer security professionals, regardless of the reason behind the query, it effectively provides a kill switch that stops WannaCrypt from spreading in their networks.  You can read more about the kill switch here.

 

What Can I Do About It?

This attack demonstrates not just the value, but the outright necessity of monitoring DNS traffic on corporate networks.  Both in the case of WannaCrypt, and most malware generally, a very early indication of the attack is a DNS query. Some DNS threat detectors use machine learning, while some try to work in real time; but Jeskell’s CyberSentinel solution is both a machine learning based, and real-time network malware detector which monitors all DNS traffic both to and from corporate networks.  So rather than relying on postmortem analysis of DNS log files in search of attack indicators, CyberSentinel provides security analysts with real time notifications generated by machine-learning technology when malicious domains are queried. This saves time for busy security professionals, while ensuring that threats are detected—and most importantly, stopped—before they can do extensive damage.

 

* * *

 

To learn more about Jeskell CyberSentinel Threat Detector, read our data sheet:

New Call-to-action

 

Questions? Contact us here:

contact us

 

< Back to All

Bruce Brown

For more information on this topic, contact me below.

Contact Us

Categories

Security

Subscribe now to get our latest news