Cylance vs. WannaCry-WanaCrypt0r 2.0
« Back to Blog

Cylance vs. WannaCry-WanaCrypt0r 2.0

By The Cylance Team

The “EternalBlue” flaw that’s been taking over headlines in the news over the last few hours rose to popularity as a result of its inclusion in the leaked 'Shadow Broker' data. It has so far been hugely damaging to healthcare organizations. This article will catch you up if you’re not up to speed on the latest.

To cut to the chase: Yes, CylancePROTECT® fully prevents all in-the-wild examples of the malware related to these specific attacks. Cylance has blocked WannaCry since 2015. 

In this video, as we show the WannaCry/WanaCrypt ransomware worm in three scenarios:

1) On an unprotected machine.
2) On a machine protected by CylancePROTECT.
3) On multiple victims, with Cylance stopping further communication.

VIDEO: Cylance Stops WannaCry/WanaCrypt0r Dead, Pre-Execution

This attack exploits a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow for remote code execution upon proper and successful exploitation. This flaw was patched in Microsoft's March 2017 update cycle (MS17-10).

However, many environments are still behind on patches for various reasons and may also be running legacy operating systems (ex: XP) which are no longer updated/supported with security updates, which leaves those systems exposed. Leveraging this exploit, the attackers can fully execute arbitrary code.

In the case of the WanaCrypt issue, we are dealing with a ransomware executable that includes additional worm functionality. It has the ability to scan and locate other machines and propagate itself to other adjacent and exposed hosts via the EternalBlue vulnerability.

Due to the nature of the flaw, machines that are propagated to via the worm functionality do not require interaction from the user on the victimized host. 

The worm/ransomware binary handles the remote execution. In most confirmable cases today, stage one is a malicious phishing email. This includes an attachment that "patient zero" executes, which infects them, while simultaneously kickstarting “Stage 2” - the worm-type functionality and internal propagation/pivoting.

In addition to employing strong and effective endpoint controls, users are also encouraged to:

•  Keep software up-to-date, including operating systems
•  Avoid dangerous web locations
•  Educate users to detect potential cyberattacks delivered via phishing emails, infected banners, spam emails, social engineering attempts, etc.

UPDATE----05/16/2017

What is WannaCry?

With WannaCry/WanaCrypt0r 2.0, the world has seen a level of malware outbreak that we haven’t experienced since Conficker in 2008. With a layered security approach, it’s rare that this type of threat would be so damaging to so many organizations and garner such mainstream focus.

But as we’ve seen over the past few days, it’s far from impossible.

One has only to go back to 2003 to see the effects of the MS Blaster worm (also known as Lovsan and Lovesan, which first appeared in August of the same year). After the Chinese reverse-engineered a Microsoft Windows XP and 2003 patch, others created variants which traveled laterally inside computer networks, easily bypassing perimeter protection.

Sounds similar, right?

And now today, many security providers claim they provide protection against this ransomware worm. But how can this be true, as the White House and homeland security stated that over 300,000 machines across 150 countries were infected, as of last night?

Why Is WannaCry So Dangerous?

Because it’s a worm. This isn’t simply a case of ransomware – or even the insidious and ever-changing ransomware-as-a-service (RaaS). Rather, WannaCry has a highly contagious worm component, much like MS Blaster and Conficker which came before it. WannaCry exploits unpatched loopholes in Windows XP and Windows 2003, but also impacts Windows 7, Windows Vista, Windows Server 2008, Windows Server 2012, and unpatched or non-updated copies of Windows 8 and Windows 10.

Once infected, machines quickly spread the malware across networks.

We still don’t know what caused it, where it came from, or how it was able to spread so quickly. It’s easy to blame careless users, but there’s a lot we still don’t know.

Why Patching Doesn’t Work

In an enterprise or campus, it is often unreasonable or impossible to patch like consumers do with their home PCs. Enterprises must follow standard testing/QA cycles for patches and updates prior to widespread deployment.

There are a couple of reasons for this:

Firstly, it is imperative to verify that any new OS code doesn’t break any business-critical applications. This verification process can take time, sometimes up to a month. Since patches are released on a regular cycle (notably Microsoft’s “Patch Tuesday”), testing and qualifying the relevant April 2017 patches (which could have prevented WannaCry from running rampant) might have been completed, with the change controls and deployment approvals done, by mid-May.

In this case, when Microsoft released their May 2017 patches, many organizations require a full month, until mid-June – or later, with the holiday schedule – to test and qualify them as deployed.

Secondly, applying patches is never that simple. Traditional AV vendors have been known to release core engine patches which accidentally rename system files, then reboot. This ‘minor’ oversight in 2015 resulted in a large multi-national resorting to “sneakernet” to reinstall OS files on hundreds of PCs. Long story short, security and IT teams don’t often trust a patch right out of the gate. They know they should patch for security purposes, but they also know patches have broken systems and infrastructure in the past.

Another thread that is very interesting on this attack specifically, is that for a multitude of reasons, many customers run systems that are currently at end of life (EOL), such as Windows XP/embedded, Server 2003 or the like. Until this weekend, there was NO patch available for these systems. Tellingly, the systems that were impacted most heavily in the NHS were medical devices running XP. By the very nature of their critical use, any unexpected change could be disastrous, and IT teams can’t simply “just deploy patches.” These are custom systems we’re talking about here, with custom software that has a HIGH chance of breaking with a Microsoft patch – it has happened a lot in the past!

How Can Cylance Help?

Cylance protects your systems while your IT teams do their due diligence on the issued patch. We’re running in the background and keeping you safe as you’re performing testing/QA/qualifications. This takes the weight off you to manage your security while you’re updating, while making sure your critical defenses stay up and running 24/7. 

How Cylance Protects Against WannaCry

Cylance was founded on the fresh perspective of using machine learning (ML) for the sake of good. We did not set out to be a security company – security just happened to be the most difficult, and the most needed, problem we found we could solve using our artificial intelligence-based approach.

Here’s the good news. With CylancePROTECT®, we found that every computer running our product – with a math model from 2015 or later – was already protected against this nasty worm WannaCry.

What that means is that even if WannaCry had been released two years ago, you would’ve already been protected. That’s the power of machine learning: our math-driven models take massive amounts of data about known malware and predicts what future malware will look like, in order to prevent it from getting into your systems in the first place.

The fact that our AI was able to predict and prevent WannaCry way back in 2015 means that our customers have been safe from this attack since then. And that’s why it’s a big deal and not just a marketing tactic to talk about the power of machine learning and artificial intelligence. We’re solving real-world problems before they become problems in the first place.

Even better – CylancePROTECT stops the actual propagation of the worm, breaking the chain.

Looking around the industry, Cylance is one of the only true preventative technologies that stop WannaCry – and we can attest to this fact.

Any Questions?

Our threat researchers are continuing to investigate new samples as they arrive, to ensure that CylancePROTECT can fully block all new variants. Get started with CylancePROTECT now to make sure you’re safe against threats like this one – reach us at Cylance - Contact Us.

If you’re a Cylance customer and you’ve still got questions, please reach out to us at https://support.cylance.com.

Tags: