How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network
How to detect the presence of WannaCry Ransomware and SMBv1 servers
WannaCry Ransomware has become very active in May 2017. It looks to be targeting servers using the SMBv1 protocol. SMBv1 is an outdated protocol that should be disabled on all networks. One of the big lessons from this Ransomware outbreak is that it is vital that you have monitoring in place on your network. You need to be able to quickly identify suspicious activity. When it comes to detecting Ransomware there are three key things to watch out for
- An increase in file renaming on your network shares.
- SMBv1 activity
- Inbound SMB activity if TCP port 445 is open on your Firewall
Passively Detect Ransomware Using Network Traffic Analysis
Network traffic monitoring is an ideal way of monitoring what is happening on your network, as you don’t need to install agents or client software on your network devices. It is also a very useful option for continuously checking your network for vulnerable legacy systems like Windows XP or systems that can use SMB1 which is deemed to be insecure.
Detecting Ransomware Step 1 – Setup a Data Source
One of the easiest ways to monitor what is happening on your network is to setup a SPAN\Mirror port or use a network TAP. This will give you access to flows and packet payloads, so you can see who is connecting to what and if there is anything suspicious moving around.
Check out this blog post if you use Cisco switches, as it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches, there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.
As I mention above, you can monitor what is happening on your network by monitoring network traffic. However, you do need an application that can process network packets to get meaningful information. Tools like Wireshark may struggle if you are dealing with large volumes of traffic.
Our own product LANGuardian can be used to monitor network traffic. It does not store every packet, instead it captures metadata which can used to spot security or operational issues on networks. It includes a SMB and NFS decoder as well as having a built in Intrusion Detection System (IDS). When it comes to Ransomware, these metadata values are useful for spotting problems:
- File names, specifically those hosted on Windows file shares
- File actions like rename or create
- File sharing protocol versions like SMBv1
- Capturing specific packets associated with known Ransomware variants
- Flow records of clients connecting to external IP addresses
Even if you don’t plan on using LANGuardian, check if your existing network monitoring tools have the ability to capture this data. Flow based tools are not good at detecting Ransomware, as they see the packet payloads which are required to see if your file shares are under attack.
Step 2. How to Focus on WannaCry Ransomware
There are six things to watch out for when it comes to detecting WannaCry Ransomware:
- Check for SMBv1 use. This Ransomware is not limited to just Windows server 2003 and XP clients. A large number of WannaCry victims were running Windows 7. SMBv1 can run on all Windows versions so check your network for any activity.
- Check your web and DNS traffic for any attempts to connect to these domains:
- Check for an increase in the rate of file renames on your network
- Look out for any outbound traffic on TCP 445. This really should be blocked
- Check for any instances of the file @Please_Read_Me@.txt on your file shares
- Check for any instances of files with these extensions
SMBv1 is deprecated and should be removed from your network. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. At a minimum, you should be patching your systems as per Microsoft Security Bulletin MS17-010. In the video below, I cover off more on how you can use LANGuardian to detect SMBv1 and suspicious file activity.
Top Tips for preventing Ransomware on your Network
- Backup your files regularly and make sure to keep a copy off site. This may be stating the obvious, but a lot of people get caught out when they go to restore files. Build a test server and see if you can restore onto it.
- Limit the use of Microsoft Office Macros: A lot of Ransomware is spread using Office attachments. Microsoft recently published an add-on which can stop you from enabling macros in documents downloaded from the Internet. Some more reading here.
- Be careful of opening attachments from unknown sources: This is especially true for employees who may receive CVs or financial documents. It may seem normal for them to open attachments from strangers. I have seen targeted attacks where a company advertised a job on the Internet. The HR department received applications with attachments which contained malware associated with Ransomware. Make sure you tell applicants to only send PDF type attachments.
- Keep your systems patched: WannaCry and other WannaCrypt variants targeted systems running SMBv1. Microsoft had published Security Bulletin MS17-010 which addressed issues with SMBv1. At a minimum, you should disable SMBv1 and patch all relevant systems on your network. However, the advice is to stay on top of getting update installs, you just never know what will be targeted next.
- Know what is happening on your network: When Ransomware strikes it can be difficult to figure out what data was encrypted. Users will report that they cannot access certain files or folders, but they won’t know what exactly was targeted. Get an audit trail of all file and folder activity. You can implement file activity monitoring passively using network traffic analysis.
- Know what is happening at the edge of your network: When it comes to keeping your network safe, it is vital that you know what is going in and out of the network edge. Don’t rely on firewall logs as they may become inaccessible when your network is under attack. Look at deploying a combination of intrusion detection (IDS) and flow analysis with metadata capture. Information captured at this point can be crucial if your network is attacked. Look at capturing:
- IP addresses with associated GeoIP details
- Flow information such as source and destination TCP or UDP ports. WannaCry targeted networks where TCP port 445 was open so you should block this type of activity at the edge.
- DNS traffic details like hostnames and DNS server addresses
- Attachments inbound and outbound via SMTP
- Web domain names – HTTP and HTTPS
- IDS events associated with suspicious packet payloads
- Associated usernames so you can track who is doing what
- Web client information such as operating type and browser type
- Don’t rely on log files alone for investigating issues. Log management tools have their uses but they can be compromised if a network is attacked. Recently a number of school districts were targeted with a Ransomware attack in the US and the hacking group turned off the logs recording who accessed their systems.
How to disable SMBv1
Server Message Block (SMB) is a protocol mainly used for providing shared access to files and printers on computer networks. Microsoft is recommending that SMBv1 is disabled on all server and client Windows installs as it is insecure and has been replaced. If you detect any SMB1 activity on your network, these steps for shutting down the protocol should apply to the most popular Windows versions. Take a read of this article on how to enable and disable SMBv1 in Windows and Windows Server.
For client operating systems:
- Open Control Panel, click Programs, and then click Turn Windows features on or off.
- In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
- Restart the system.
For server operating systems:
- Open Server Manager and then click the Manage menu and select Remove Roles and Features.
- In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
- Restart the system
There is some additional reading in this Microsoft post which includes some customer guidance for WannaCrypt attacks.
I don’t have Ransomware on my network; should I worry?
If you have good update procedures and network users are cautious when it comes to clicking on attachments and strange links, you should be able to keep the WannaCry Ransomware away from your network. However, now is the time to get an inventory of what SMB versions you are running on your file servers and take action if you find SMBv1.
Now is also the ideal time to get a good network monitoring system in place. Don’t wait for Ransomware to strike, it is much easier to get something in place when your network is not under attack.