WannaCry recap, patches, and analysis

SANS Institute · Intermediate ·📰 AI News & Updates ·9y ago

Key Takeaways

The video discusses the WannaCry ransomware attack, its propagation, and analysis, including the use of Eternal Blue exploit, kill switch domains, and patch management, as well as incident response and security measures to prevent similar attacks.

Full Transcript

Hello everyone and welcome to today's SANS webcast the latest on W to cry ransomware. My name is Carol Auth of the SANS Institute and I will be moderating today's webcast. Today's featured speakers are SAN's instructors Jake Williams and Benjamin Wright and Hinado Marinho, chief of research at Morphice Labs. If during the webcast you have any questions for our presenters, please enter them into the questions window located on the go to webinar interface. Please note that this webcast is being recorded and a copy of the slides and recording of this webcast will be available for viewing later today and can be found on the SANS registration page. And with that, I'd like to hand the webcast over to Ben. Thank you, Carol. Those of you who know Sans well know that I'm the legal guy and uh today I'm not here really to talk very much about law. One of the hats that I wear at SANS is that I am the chairman of the data breach summit. And we held that summit first in Chicago uh back in August and we will hold it again in September and October. And in the course of uh running the databach summit, we reach out around the world and try to find experts on different kinds of cyber crises. And u one of the things that we've found in in running this summit is that we've met Yonado Marinho who is malware security expert in Brazil. uh we've already been talking to him about uh discussing uh fighting ransomware in Brazil when he comes to speak uh in Chicago uh at the uh uh summit. And so is very timely that we've been able to uh invite him to join us uh today along with uh Jake uh to uh discuss what have been the experiences with respect to uh want to cry. I know some people call it wann to crypt and there may be other words out there that people use to uh uh define this but uh uh most of today will focus on uh uh the experiences of Jake and Yonado and uh sort of evaluate where we are uh as of right now with respect to that uh this particular uh attack. Uh I I ask here is it a post-mortem? Meaning I is this thing over? I don't know. Maybe that's part of what we're going to uh uh talk about or is it will there be uh additional waves of something like this want to cry ransomware? We'll be talking about that. Please note that Jake uh did provide a uh a webcast that has been recorded. You can go listen to this and that was as of late on Friday that was in the heat of battle. So I imagine that Jake has probably learned a few things since then that he's going to be sharing with us. So uh my role primarily will be sort of a master of ceremonies and help to feel uh uh uh make sure the questions are are answered. But uh we'll we'll start with Jake and uh and then we'll uh know may take a couple of questions after Jake's formal presentation. Then we'll uh invite Yonado to provide his formal remarks and then we'll take some Q&A at the uh end. So and with that I'll pass it over to Jake. Hey Ben, thanks so much. Uh I'm really excited to be here. Uh you know I I as you mentioned I did the uh did the webcast quote in the heat of battle uh on Friday night. Uh certainly we know a whole lot more about it now than we did than we did then. Um but just to kind of you know catch everybody up if you're just getting into the uh into the swing of things. Um there are two key components to this to this ransomware that there's a worm uh and then there's actually a ransomware package and the these are completely separate. uh the ransomware or sorry the uh worm itself is what uses the the kill switch the domain uh kill switch that we've heard so much about in the media and I'm sure uh we're going to talk more about that here in a few minutes I'm sure that'll continue to evolve as well uh but the ransomware package itself is actually a uh basically a completely separate resource in the worm and and it's one of those things that was it almost looks like it was built modularly uh where a now whether this was done you know because somebody wanted to swap out the payload later or whether it was done because that was the easiest way that the attackers could figure out how to do it is unclear. But again, it's very modular where it's it's trivial for anyone with even a basic level of knowledge to uh swap out the payload and use the worm to continue propagating that uh propagating that payload. Uh so the kill switch that we've heard so much about kill switch domain uh actually operates on that worm piece. Uh the worm appears to be spreading using a leaked NSA exploit named Eternal Blue uh which installs a backdoor in SMB. It's actually quite fascinating uh the the back door. I don't have time to cover it here, but uh definitely go read up on that if you're deep into the tech uh because it actually patches the way that SMB works, uses some non-standard functions in SMB. Uh really really impressed here. Uh so uh here again spreading using those using those exploits. Uh but uh basically uh again uh we're looking at just eternal eternal blue and double pulsar being used uh to move the package around. Uh so the malware has a kill switch that terminates if a particular domain resolves. Uh we're not sure why this is here. Um it may have been anti-analysis. Uh but uh I don't think it's anti-analysis. I I think really what we're looking at uh most likely uh was that the attackers were looking to make sure that they had a way to uh a way to shut down shut down the malware. Uh again, it could have been anti- analysis sometimes in our analysis sandboxes, our malware sandboxes. Uh we set up fake DNS servers and fake web servers. And very commonly, in fact, we teach this in the SANS 610 course. Uh where we explain how to set up fake DNS and a fake web server. Uh well, I guess technically a real web server, but fake DNS. uh and it will resolve anything uh any domain uh back to the web server so that we can see how the malware would interact with the web server. Uh given that this is something that we see a lot and malware sandboxes and a common malware researcher technique, it's possible that this was used uh to prevent uh it's possible that this was used to prevent the uh basically prevent the worm from doing anything nasty inside of a malware analysis sandbox. So, uh, as far as kill switch domains, uh, there's more than one of these at this point. Uh, we're looking at now there's been a total of four different, uh, four different domains that have been identified. All of them have been registered. Uh, one of the things that we've noted, a couple of our clients came in and said, "Hey, uh, you know, we're employing, and I'm not going to name and shame any vendors here, uh, but they're using firewalls and other technologies that are blocking access to these domains. They say, hey, these are associated with malware. Therefore, we should block access to these." Don't do that. Um, in order for this to be effective, uh, the malware, the way the kill switch works, the malware actually has to reach out to these domains, uh, and receive an HTTP 200, uh, response code. So, basically a success response code, uh, if they don't reach out to the reach out to these domains, they don't receive that response code, uh, then the malware continues to propagate. Well, obviously, uh, you don't want the malware to continue propagating. Hence, blocking access to these domains is exactly the opposite of what you want to do. Right, Jake? Jake, this has been uh we got a comment that says, "Slow down just a little bit." And yeah, I know you're excited and I'm excited, too. But that's probably a good a good piece of uh uh advice. So, just Well, in that case, I I'll do that uh do that. Exactly. Yeah. So, um so so yeah, I am absolutely excited about this and I had a lot to cover, but I will definitely slow down a little bit. I apologize. I got it. You know what it is? It's I'm still on the west coast over here and I'm just amped up on my morning coffee, right? So, usually you catch me a little bit later in the day and I'm a little bit slower. But yeah, again, I I'll slow down a little bit here. The the key here is you can't block access to these domains. If you're blocking access to these domains, you're doing exactly the opposite of of of what you want to do. Um, again, here the malware only functions uh you know, only the kill switch only functions if the malware can reach these domains. So if you're using a firewall or proxy or whatever in your network uh by the way the malware is not proxy aware uh and so if you have an explicit proxy configured and the malware tries to reach out of course it doesn't know about your proxy it can't touch these. So we've been issuing guidance to two pieces of guidance to our customers. One check these domains and make sure you can actually get to them. If you can't get to these domains uh your malware can't get to the domain either. If the malware can't get to the domain it continues to propagate. So, so check these internally in your network. If you can't get there, if you can't open up a web browser and get to these, neither can your malware. It's possible that the it's possible that you can get there in your browser, but you have an explicit proxy configured in your browser. And again, your uh your malware is not going to be able to know the pro or doesn't know about the proxy. And again, it can't get there. If you have proxies configured and honestly in any enterprise environment, you should have a proxy configured. Um then you know again if that's the case then I would uh go ahead and set up an internal server uh internal web server to handle requests to these domains uh and point your DNS to that uh DNS server to that web server. And again that will stop the malware from propagating if it somehow gets into your environment. I mean we hope at this point it's not getting into your environment but uh that's not a bet that I'm willing to take. All right. So I suspect that there are machines that have been you know have been infected with this particularly BYOD and uh mobile workforce machines uh laptops that have gone home uh have become infected uh and somebody are at Starbucks become infected or wherever it is that you do work uh become infected you bring these back into the enterprise and some of these unpatched machines in the enterprise uh just get knocked over like uh like wildfire. So uh along that lines again don't block access to the domains. That's kind of the uh the TLDDR there. Uh too long, didn't read. And I'm waiting on my slide to advance. I apologize. Sometimes these are slow, particularly when we get a lot of people on the webcast. Sometimes it's uh I've noticed slow to advance. So, give me just a second here and we'll get uh we'll get advanced. Hey, Carol, can you advance me here? I don't think uh I don't think this is uh There we go. It's finally advancing. I'm seeing the update now. Uh so so a sample appeared uh in the wild without a kill switch configured. And I actually wrote more about this on on our website, some technical analysis. Um you know the from the get-go we said it would be trivial for somebody to change the kill switch domain or completely remove the kill switch. Uh obviously that's a concern to us. uh we actually have uh observed a package in the wild uh that had the payload or excuse me had the kill switch removed. So it's propagating but what's very interesting about this is somehow uh in modifying the kill switch uh the attacker modified something else in the payload uh and broke the payload. So it turns out that this what would have otherwise been a worst case scenario uh the malware without the kill switch enabled uh is although it's propagating it's not infecting hosts and that's that's really the key here right so uh if you're looking for any more technical info uh you can follow that bitly link I know people hate bitly links uh but you know for folks that are trying to write down links I I much prefer these because you know again much easier later when you have all the technical info I know it's easier to click a link but but here definitely easier to easier to write down. So, I promise you I would never redirect you somewhere malicious. Uh again, we wrote up more information about the about the uh no kill switch variant of the malware uh on our website. So, the gentleman who originally uh reverse engineered the malware uh and uh registered the kill switch domain uh is a researcher out of the UK named Malware Tech Blog. Uh I actually had a chance to meet him at Defcon last year. Uh he's actually a really cool guy. Uh he prefers to remain anonymous. Uh some of the folks in the uh some of the folks in the UK media have not exactly been honoring his uh honoring his requests. Uh but uh in any case uh he is now receiving uh free pizza for a year uh from Let's Eat UK. So uh they tweeted that out this morning that uh uh superheroes deserve deserve pizza. Uh he's actually a surfer as well and so they mentioned you know the fact that he's a surfer but anyway they gave him a free supply free year supply of pizza. Um and and Carol is there any chance you can advance slides for me? I'm getting a little spinny wheel of death over here and my slides just are not advancing. Hi, Jake. This is Yep. I'm not sure the only one. I I can't I couldn't hear you for a little while. Oh, I may be I may be dropping out. Uh this uh I'm not entirely certain where where I'm at here. Um I I've got uh Is there any way you can advance a couple of slides for me? Sure. I'm getting a little spinny wheel of death over here and Okay, sure. I'd be happy to do that for you. This has happened twice when we've had lots and lots of people on a webcast. So, it's a I don't know whether it's a Mac go to webinar or uh not sure. In any case, if you can help me out with our technical difficulties, I'm definitely not affected with wicry. I know that much. Uh you know, I'm not sure which slide that is then. Um yeah, if you can just put pop me up to staying safe would be ideal. Okay, staying safe. We're there. Yeah, perfect. Hey, great. Um, okay. So, you know, at this point goes without saying uh that uh you should patch immediately uh if you haven't done so already, right? Uh this I mean Microsoft released this patch in March. And I I don't want to get ranty here about patches, but um patch cycles of 60 days or more are just not uh just not acceptable. Um you know, this is it's 2017. uh patch management has been uh on the sands uh you know critical security controls now for uh a long time and I'm not pumping sands 20 critical security controls although they work um but but we really need to uh uh we really need to to move the uh move the ball forward here and uh unfortunately that's that's just not happening here with patches and we're seeing that uh we've been doing at rendition we've been doing interw my company rendition infosc we've been doing internetwide scans for double pulsar the the back door that gets dropped with eternal blue since since it was released by the by the shadow brokers back in uh back in April and we've we've constantly been floored one by the number of machines listening on SMB directly on the internet and two uh by the just the raw number of machines that have been exploited uh our our high water mark uh was about 150,000 uh that were actively infected with double pulsar. Now it's important to note that double pulsar disappears on reboot. Uh so what's likely happening is the attackers are exploiting uh the uh double pulsar gets installed and then they use um basically they they use that as an access method to install long-term permanent malware. So uh this is something that that we expect to see uh I would say I expect to see more of in the future. Um and so the idea that we don't have patches is or people haven't patched I I can't say that I'm surprised. uh in 2016 uh really we saw the first hard drop off during our penetration test in the number of machines we could exploit with MS08067 um that that's the vulnerability from configurer from 2008 right so 2008 to uh 2016 is when we saw the hard drop off of being able to get in a network uh I was confident uh all the way through 2015 uh that and confident meaning I would happily bet you money that when I got into a network inside the network, I would be able to exploit something with MS08067 that it was I was just confident and with good reason uh consistently we could do it. Um so what you do need to know is that previously Microsoft said we're not releasing any more patches for XP or Server 2003. Um they even when the MS710 patches, which is what uh you know patches the eternal blue exploit, uh even when these came out, Microsoft didn't release these to anybody but the folks paying for long-term support for XP or Server 2003. And you know, we can talk about whether or not that was reckless another day. Uh but Microsoft turned tail uh late Friday night, early Saturday morning and released patches for XP and Server 2003. What's really interesting uh if you want to put your tin foil hat on about Microsoft uh is that they were uh they had compiled the XP patch in February. February is the first time in history that uh first time in history that Microsoft has missed why I say history since they began doing patch Tuesday. It's the first time they missed a patch Tuesday, right? So first time they miss a patch Tuesday. XP patch was compiled in February. Uh I'm interested to know and this this might be a good question for Ben. Ben, what do you think about this? Does Microsoft have any, you know, just as a lawyer, kind of a lawyer's aspect, do you think they have any any obligation here or any uh I know it was out of patch maintenance, but but is does the fact that they compiled the patch in February and then released it only after people started getting harmed? Is there a is there a liability thing there? Well, anybody can sue Microsoft and try. Uh on the other hand, uh Microsoft uh probably has some pretty strong defenses that say that we're not obligated to to do these things. Uh uh furthermore, their their end user license agreement absolves them from liability. And so it's just not been very successful to try to sue Microsoft or someone like Microsoft under these end-user license agreements even though they've got some kind of vulnerability, even if they know the vulnerability. So, uh, the answer the answer is good luck suing suing Microsoft. Uh, have h have fun. Lots of people have tried to sue people like Microsoft over the years and not had a whole lot of success. Okay. Yeah, that's kind of what I was what I would what I would have guessed. But it was just kind of interesting to me like the uh you know, if I'm Microsoft, forgive me here, you know, and I'm not put my tinfoil hat on or anything, but if I'm Microsoft and I'm going to go ahead and push the patch for, you know, XP or Server 2003, I'm going to go ahead and recompile it uh that day and then go ahead and send it out, right? So that somebody like me researcher wise doesn't look at the metadata and say, "When was this compiled back in February? Why did you wait until now to release it?" just from a PR standpoint, that seems like a missed uh missed opportunity on public relations. Uh you know, opens up a lot of questions, but Ben, I think you're I mean, of course, I trust your legal opinion here. Uh and and I think you're probably right. Good luck suing anybody with a much bigger legal team than you. Uh so, Carol, can you advance my slides again? I apologize. This is just spinning wheel adapting over here. We're on staying safe, too. Perfect. Perfect. So, uh for systems that can't be patched, uh consider network segmentation. We actually talked about this in the news. Uh we had a good article written in I think it world if I'm not mistaken. Uh and we talked about how server 2003 was never going to be patched again. Uh you need to isolate your networks. We're working with a Fortune50 company right now that has more than 2,000 uh more than 2,000 Windows Server 2003 boxes inside their network and they have no plans to update them. there's not even a it's you know again even with these vulnerabilities released they just said yeah you know uh no um they said you know we understand the problem uh but we need to find ways to keep these machines safe uh the cost of upgrading uh these and and making the software that runs on these run on a new version of Windows uh 2008 and later they said is simply unacceptable. We're just not doing it. Um and this is an interesting risk decision. Uh I'm sure that there's probably some liability that comes along with that uh potential consumer liability or whatever. Uh which of course again Ben knows way more about than I do. Uh but but I really like the idea there where they've done a full risk analysis and they just said look you know we we can isolate these machines. There has to be a way to protect these machines from attack uh while getting the most out of or continuing to get use out of them even if we can't get new patches. Um one of the things that we tell clients all the time and people argue with me on this. I tell this to every SANS class, no matter what SANS class I'm teaching as we talk about defense and depth and and just security in general. There is never a legitimate reason for one workstation to talk to another workstation using using SMB. And people have argued argued with me about this for years. But listen, if you have this as a requirement, there is a network architecture failure, meaning somebody has failed to properly architect your network. Now, people tell me, uh, Suz's workstation runs the database for this, you know, one-off application that we use in an HR or legal or whatever. Fine. Then it's not a workstation. It's a server and it needs to be architected as such and it needs to be protected as such. It needs to be put in the appropriate area of the network. Uh, again, there's never a legitimate reason for one workstation to talk to another using SMB period. If you're running file services, print services, database, app, you name it. And somebody else needs to talk to you over server message block. Uh again, you're not in the right place. You need to move it. Wow. Apparently now all my mouse clicks are catching up. Uh can you uh move me back, Carl? Sure. Awesome. Can you put me on three? Uh staying safe. We're there. Awesome. Okay. So So here are my my advices here, right? So pieces of advice. Restrict TCP port 445. This is SMD 139 as well, honestly. Right. 139 is is old SMB, 445 is new SMB. Uh restrict it uh to where it's absolutely needed. Uh use router ACL to do this, right? So router access control lists to do this. In order for you to do this, of course, you have to first segment these machines onto their own dedicated subnets. Uh so that communication between uh one machine and these vulnerable machines uh passes through a passes through a router. All right? So I want to restrict that traffic only from the hosts that need it to the hosts that need it. Let me come back to the example of I'm running an app server off of my workstation. I want to move that into the data center and I want to put that on a uh on a subnet and I actually want to control access to that specific uh that specific app server from the IP addresses that need it. Now, this is complicated with DHCP. I understand the complication, but really we're talking about security here. Uh another thing that we recommend to people is to use private VLANs. Uh these private VLANs prevent workstations from talking to other workstations at the layer 2. This isn't even a hostbased firewall. This is way better. Um this makes attackers jobs much much harder and causes them to make lots and lots of noise. If your edge switches don't support this feature, buy new edge switches, right? Again, this is an enterprise feature. Uh you should be in an enterprise using enterprise switches. Uh if you're a SOHO shop or a an SMB SMB here, I guess being ambiguous. If you're a small medium business and you don't have enterprise features on your switches, uh then you at least use hostbased firewalls to limit communication on TCP port 445, particularly again between workstations. I understand that ad administrators use this feature a lot. That's fine. You can configure access to SMB uh to the uh TCP445 to the workstations. Configure access so that it can only come from the administrative machines. Can you advance me another slide? Perfect. Uh so for machines that can't be patched uh my company put together a tool called tears stopper uh there's a mutex uh in the malware the actual ransomware itself uh ransomware uh or anything that propagates via worm uh will usually set up one of these mutual exclusions in memory and the idea here is that uh once this mutex is held by something uh by some process it can't be held by other processes uh if you think about how ransomware is working it's encrypting files right and think about the fact that the worm might hit the same machine again, might infect that machine and drop the ransomware package a second time. If that happens and the ransomware is already encrypting your files, it starts encrypting the files again, right? They would be unreoverable. Right now, in this case, uh your files are unreoverable anyway. Uh it turns out that the uh nobody that I know that's paid in this particular ransomware case uh has gotten their files back. Uh one of the reasons for this is normally ransomware creates per uh per attacker or sorry per victim uh bitcoin addresses. So there's an easy way for the attacker to verify uh who exactly has paid and who hasn't. Um in this case people are paying uh but they're paying to a set of I believe now there's uh four or five different bitcoin addresses in play. Not unique bitcoin addresses per victim. Well, the attackers are now having to go manually try to deconlict and uh you know, I've talked to folks that have tried to chat with the attackers and and honestly, if I'm these attackers in particular, I'm I'm going dark, right? So, I'm I'm not uh I'm not really out there. I'm not looking to be looking to be caught at this point. They've ticked off some pretty high level people, including the Russians, the US, and the UK. Uh so, can you advance me again, Carol? We're good. Awesome. So, uh, tracking the perpetrators, uh, there's theories that want to cry authors lost control of the worm while it was still in testing mode. Uh, look, if you've got a worm exploiting a zero day vulnerability or a a largely unpatched vulnerability, and again, I I'm not speaking for any of my clients here. I I just know historically how long it has taken to get patches out. Uh, and I expect this to be uh another one of those where I can bet you money I will find vulnerable hosts uh for years to come, at least four or five years to come on internal networks. Uh, by the way, I challenge all of you out there to prove me wrong, right? I I hope that I'm wrong. Uh, I I just don't think I am based on history. Uh, again, there's theories that, uh, just based on how rudimentary the ransomware was, that they lost control of it. They were still in testing mode on an internal network and let it out. um and they didn't mean to and and now they're trying to play catch-up and and this is kind kind of interesting because uh Carol if you can advance me to the next slide here uh the kill switch domains uh that are registered or the original kill switch domain would have always called out to the internet right there would have been a request for it even though the domain wasn't registered there was still a DNS request that was made and that would have ultimately gone all the way back up to the TLD uh top level domain domain servers uh DNS servers and they would respond respond ultimately with an NX domain, no such domain error code. Well, Nick Weaver or Nicholas Weaver uh basically posited he said, "Look, you know, uh NSA uh probably has enough signals intelligence, passive uh passive network capture uh to go find patient zero on their passive DNS." And what he's referring to here XKS uh refers to some of the leak Snowden documents uh this system called Xkey score uh which is basic according to the documents at least uh passive uh basically a bunch of passive network intercept um and he says hey you know we can use this to go find the initial infections right uh Nicholas has has the assumption as do many uh I say assumption has has performed the analysis and believes that as do many researchers that the initial zero patients were located somewhere in Russia or or Eastern Europe. Uh so what he's saying here is that because it hit the Russians so hard uh and you know they tend to handle things in a pretty interesting way, he says, "Hey, why don't we go uh you know, basically why don't we go find patient zero uh looking at any passive intercept that that we have uh and use that to notify the Russians and let them know uh basically this is where it started and let them conduct their own investigations." So, I don't know if you agree with this or not, but uh it's definitely an interesting uh definitely an interesting proposition. Uh so, Carol, if you can advance me again. Okay, so Microsoft actually published a response uh and this morning and they're taking NSA to the woodshed about stockpiling vulnerabilities. Um earlier at RSA, the RSA conference this year, Microsoft proposed a digital Geneva convention or a cyber Geneva convention. Now, there are tons of problems with this and and in fact uh we we actually came back and uh you know published a uh that last link down there and the more info here uh is basically a link to where we talked about why it was such a big deal uh you know why the cyber Geneva Convention was unlikely to be a uh a thing that works and and honestly if you think about the real Geneva Convention it all comes down to attribution right uh you know if somebody commits an atrocity there needs to be some way to figure out who committed that atrocity or who broke the Geneva Convention. Um in fact this is so well acknowledged that uh people not in uniform uh don't get Geneva Convention protections. Uh and so and the re reason for that is of course uh the need for uh attribution connecting the particular act to the actor. Um we have a huge problem with that in cyber. I just got done teaching the threat intelligence course for SANS and and you know again we talked a lot about attribution and how hard that problem is. Uh we're even looking at looked at some examples of possible what we call cyber false flag operations where where it appears that one actor tried to blame an attack on another actor. We saw this with a Russian operation a number of years ago where an operation largely attributed back to Russia uh where they hacked uh TV Monday uh in France. Uh I'm probably butchering the pronunciation on that. Uh but they did so under the flag of quote the cyber caliphate uh with supposed ties to ISIS. Right? pretty well understood at this point that was not ISIS. It wasn't a cyber caliphate. It was uh almost certainly based on uh you know based on additional analysis was almost certainly Russia uh but trying to you know perform that false flag op. So it's a cyber Geneva convention and the whole idea about stockpiling vulnerabilities. Uh the NSA woodshed link there is how you can go find Microsoft's response. And then before this happened right so uh early in the week uh all you know Microsoft couldn't have done much better press for me uh you know on this whole idea here. I I put together a blog post uh over at rendition about uh the need for Microsoft to really answer uh some some questions about MS-1710. And again, that's the vulnerability that uh Eternal Blue exploits. Uh the MS-1710 petition basically was a uh was a petition to you know asking people or or asking Microsoft specifically uh to disclose information about uh about MS710 and why that information was critical to and understanding that information was critical to the information security community. Uh whether or not you want to sign a petition or get involved with that, go read the the documents there and I think you'll see that uh you know at least just from an interest state interest standpoint go check that out. I think you'll see that there there's some really compelling reasons for uh overall global information security for Microsoft to be a little bit more transparent in in how this particular vulnerability was handled. Next slide, please. And so the Shadow Brokers uh came out overnight. Shadow Brokers are the folks that uh still unattributed group uh although some of us have strong feelings about uh where they're from. Uh but the shadow burkers uh you know came out overnight and they said look uh we promised more carnage uh they originally released eternal blue uh and they yeah that's used in want to cry. They posted a note uh saying that they have more exploits to release and they're not patched. Now for history and I covered this in the MS710 post on my website. Um, for history's sake, it's important for you to know that in January, uh, the Shadow Brokers released a file listing and some screenshots showing some specific exploits that they had. Uh, we're going to go ahead and capitulate here that these are probably truly NSA's exploits. At the time that this happens in early January, uh then you would assume that NSA uh or somebody in NSA contacted uh the you know contacted Microsoft and said, "Hey, FYI, uh we found some vulnerabilities. We've been actively exploiting them for some time and now we know that the shadow brokers have them and are likely to release them. Now again, the exploits themselves are not released, but there are screenshots and file listings showing the actual names of the exploit. So someone in the no would be able to turn around with these and then push that back to uh Microsoft and say here are the vulnerabilities. Um so as we look at this January then February we misspatch Tuesday for the first time ever. Uh and then in March these exploits these vulnerabilities get patched. Uh why is this important here for the Shadow Brokers stuff? Well, the Shadow Brokers claim they have additional zero days, that the zero days they released were from a uh from a a leak in or a dump in 2013, but that they have more current data that is not or more current exploits that are not yet patched that they would uh release without any heads up. All right. And they kind of allude to, you know, how they gave the industry a heads up before this whole thing started, right? So, so again, we think there's more to come here. Uh I think personally there's more to come. Uh go take a look at this just from a situational awareness standpoint. Uh even if you patch now and you're like, "Hey, all that network segmentation stuff that Jake said, uh you know, we don't need to do any of that." Uh you totally do, right? It's good defense and depth. It was good before Wry, it's going to be good after W to Cry. The one thing we know is that we're going to find additional vulnerabilities out there. We want to make sure that we're ready for those. Uh next slide, please. Okay. So, uh there's another another assertion here that W to Cry was not the first. Uh Dan Gooden this morning reported in Ars Technica uh that another group uh used a worm with Eternal Blue to infect machines with crypto mining malware. This is fascinating. This flew under the radar. uh you know we saw a couple of couple of exploits on our honeypotss but nothing that was uh nothing that appeared systematic and definitely nothing that was warming. Uh but he said that uh you know he said basically that they had a worm that used eternal blue to infect machines with cryptomining malware. Uh definitely fascinating there as well. Uh another report and Dan kind of references this in his uh in his report on RS Technica uh suggests that Wanukry the specific malware in Wukry may have a code reuse uh and then links to uh this Lazarus AP group and depending on which analysis you read this either points back to Vietnam or much more likely North Korea. So again, really, really interesting here. My personal belief is North Korea, by the way. Uh but based on the analysis that I've read to date, uh but I I know there are some researchers out there that are still kind of on the fence about that. Um in any case, uh this is really fascinating. I I think the TLDDR here, right? So the you know, the long-term uh you know, thoughts are uh one, segment your networks, right? Again, if you haven't done this yet, the time to do this is now. Shadow Brokers is promising another dump within the next 90 days. uh they promise that they have exploits that uh or vulnerabilities that have not been patched and Microsoft will not get advanced notice. Um this is different from the disclosure of normal vulnerabilities. Right? If we have a researcher that that discloses a vulnerability, um there's always a time that it takes researchers to weaponize uh that vulnerability. In this case, you're seeing weaponized exploits being dumped directly onto the market. I'm quite frankly surprised. I said this the other night. I stand by this. I'm quite frankly surprised that it took this long uh to get this out. Right. Meaning I'm surprised that it took this long from almost a month in fact uh between the time that the exploits were released in weaponized form until we saw the first uh the first one. Anyway, uh so again, this should be your call to action. Uh I think uh believe it's Rob Lee that was originally quoted uh saying never let a good breach go to waste. Uh and if I'm quoting the wrong person there, I apologize. Regardless, I stand by that. Uh if you're working with industry right now, never let a good breach go to waste. Uh this is how you are going to get funding from your COO uh or your CFO uh to go in and make the changes that you need to make your network more secure for the next one. And with that, Ben, I'm going to kick it back over to you. Uh any questions you want to handle now or do you want to hand it over to uh to our third presenter? Jake, thank you very much. and you're getting a lot of uh positive uh feedback from the uh audience here. I've got to ask one question then we'll pass it over to Yonado. Uh Tracy asks, "I understand the malware propagates through the SMB vulnerability once within a network, but I'm still not clear about the initial uh infection vector. What is it?" Right. I I'm not sure that we know. There's been a lot of rumor about the malware being passed through uh passed through documents uh in spear fishing or or just fishing in general. Um we don't have uh a single example and if anybody has an example of this, please hit me up. I'm malware Jake on Twitter. My DMs are open. Uh if you have an example of a fishing document that uh that shows uh basically that shows this uh this this malware is distributing this malware. Um my my personal belief from having done lots of scans internetwide scans is that uh this likely propagated initially on the internet uh once it hits an internetf facing host uh it's then able to pivot internally in the networks. Uh and I think that's how you're seeing it inside of a lot of internal networks is just uh you know machines that were exposed to the internet on 445. And I'll note by the way too that you know even if you don't have one exposed to the internet one of your business partners may and you may have a B2B businessto business VPN with them. We've seen that be a source of attack in the past. So now would be a good time to kind of look at those as well. Uh bottom line, I don't have a single example of a of a fishing document being used to distribute this. Uh my thought is that uh that's not actually the infection vector. If you have one of those, please send it over to me. Very good. Jake, we now turn to Yonado from uh Brazil. He has been dealing with this incident for at least one client, maybe more in Brazil. So Yonado uh go ahead. Yonado, have you clicked uh uh unmute? We're not hearing from Yonado. Yes, Hinato. I think you're muted. If you could click to unmute, please Ben. Um I'm not sure if he's there, but um maybe you want to move to a couple of the questions while we wait and see if we can get him going. All right. Presently, are we on the correct slide, though? I'm not sure. I think that's his first slide there. But uh Yonado, it's the it's the little uh microphone button. Go ahead and ask a question, Ben. I see that he has dropped. All right. Um, okay. Uh, let's see here. Um, okay. There's a lot of questions. I'm trying to get to figure out which ones are the better ones here. Um, th this one says, "ICS asset owners who rely on isolation will ask the following question, Jake." It says, uh, is there anything unique about how this worm propagates that it would be more likely to jump the air gap than other stray malware? You got that, Jake? Jake, it looks like Jake is muted. Perhaps he's having trouble with his mute button as well. Jake, you need to unmute. Jake, maybe you would like to switch to telephone. Ben, I'm going to go and see if Rnado has rejoined. Yes. I apologize ladies and gentlemen. We've um we may be having problems with the the fact that we've just exceeded the capacity of this system or we press the system to its capacity. And unfortunately, I'm just a lawyer, guys, as those of you who know me, it sans. And so therefore, I don't have anything of much value to add to this. But I do chair the the summit where we talk about these things. One thing I did notice as a lawyer several weeks ago in regards to ransomware is that the Department of Health and Human Services issued a fact sheet. It said that if you are a covered entity under HIPPA and you suffer a ransomware crypto attack or your data has been encrypted that you uh are deemed to uh have a an incident for purposes of HIPPA and it's presumed to be a breach for which you need to give notice to the patients. However, under Department of Health and Human Services interpretation of HIPPA, if you're a healthc care entity and you have encrypted data and it's an incident, then you need to conduct a risk assessment. If the risk assessment says basically low risk of harm to the patient, then you don't have to give notice to the patient. On the other hand, if your risk assessment says there's a high risk of harm to the patient because of this ransomware, then you Please excuse the interruption. It looks like Renado has has joined us again. Yes. All right. Renhonado, please go ahead. And please let me know. Just say next slide, please, and I will advance for you. Oh, great. Um, okay. I'm honored to be here talking to you, Ben and Jake and Carol. Um, I first listened about the this resomeware uh last Friday morning as most of you and shortly after I started receiving lot of calls from customers and other companies trying to figure out what what was happening and trying to protect themselves. And uh it turns out that one of those companies wasn't just trying to prevent but to respond to uh to to an incident caused by one a cry and we got involved with them with their their team to try to respond to the incident. And uh the the incident was was first noticed by employees when they got back from launch like 100 p.m. we are here in Brazil. uh GMT minus 3 and they note that their machines got reboot uh and were showing an odd message on their screens. the exactly the want to cry message and they started opening lots of tickets in service desk and due to the unusual call volume service desk manager decided to report the problem to the IT manager and after that they both decided to visit one of the impacted server sectors into the company and notes that um lots of machines wasn't was compromised and it was clear that it was a worm inside of the network is spreading very fast and the first action was to isolate. Yonado have you dropped? I'm not hearing Yonado. I don't hear him either. Um, Hinado, if you Yeah, Carol, this is Jake. I managed to get on the uh get on it. If in the meantime, while we're waiting on him, uh, yeah, I can try to answer that question that Ben had earlier. All All right. Until we hear that Yonado is back, then did you hear that question, Jake, about the jumping out? I I did hear it. I just I couldn't unfortunately hear the uh, you know, I didn't have the audio at the time. Um, I I'm back. Okay. Oh, perfect. I'm back. Okay. All right. Sorry. Okay. Go ahead. Okay. Could you cover advance this light? There you go. Yes. Thank you. And after the the switches and howters were powered down, you can im imagine the the chaos inside of the company. We are talking about 10,000 machine companies company and lot of employees. Uh the company is a huge company here in Brazil. Uh no big cities here in Brazil. And that that afternoon they they had to send employees home um during what was supposed to be a normal day of work. And uh it it was interesting that at that moment the IT team and security teams uh were not aware of the global incident problem with Wry. Uh so Carol could you please advance? Yes. And after that they immediately start uh an incident response team. They called us at Morphus Labs to contribute with them and to support them in this work. And the main objective of this incident response team was to recover the company operations uh as the company was completely stopped at that moment and uh their delivers to customers and so on. It was a really uh big problem for them and we started to work with them. Please, Carol, could you advance? Advance. Yes. And uh when we arrived there, we were aware of the one to cry global problem already and we started with three different work fronts. The first one uh was related to the AV solution. Unfortunately, the AV solution deployed in the company wasn't aware of u cry. They had no signatures yet to remove or to detect and we had we had to make a decision to change the AV solution to another part or another partner. The second front work front was to apply the Windows patches. uh and we here we faced the the second problem. Unfortunately, double sus wasn't operational that moment. So, we had to spend some time uh fixing the double sus and the third work front uh was to uh find out the incident extent inside of the company. So part of the team start visiting most critical companies sectors and literally flagging the monitors with post test. Uh could you car advance please and we enter in the second part of the incident response. Uh now we were with a new AV company, AV partner with a different solution that was able to detect the unry. Uh we were also aware of the C2 communication IOC's like many of IP addresses that we feed fal policies to block communication with uh malicious IP addresses. It is important not in here that we could we couldn't block the communication from machine side of the network network with the kill switch domains as Jake uh uh pointed out and we were also aware of the infected machines at least part of them and the WSUS was now operational so Carol Please could you advance? So, uh this is what we plan to do. Uh the next step of this workforce was to for each machine inside of the network. We follow the the follow the following actions. First, uh apply the Microsoft patch that was released in March. Uh next deploy the new AV software in the machine uh to change the another the old the old one and third uh after that uh actions to plug the machine into the network again. So we we had to do this for each machine during the the whole weekend. So a lot of work to do. Carol please. But we were uh with a big problem yet uh related to to infected machines. In fact, we were with 300 machines infected and to recover them and return them to the users. We we we had to we could uh return after uh we reinstall the OS and applications for example. But uh it it was almost impossible to do this from Sunday to Monday uh as we we were with lot of machines infected uh and we uh didn't have any the full image to deploy uh so please clar could you advance so we we had to change another plan we choose a B plan and we tried to try to clean up infected machines. We know that this this is not a good solutions solution in a incident like this one. But u it was difficult to the company to continue uh its operation without a solution like this at that moment. And we learned that Microsoft released some different solutions to clean up um one cry mware for different Windows versions. So for example for Windows 8.1 and 10 we you could use Microsoft Windows Defender. Uh Microsoft Essentials for Windows 7 and Vista and uh for all Windows versions we could use Microsoft Safety Scanner MSS. Um so we decided to use the last one because it's a a package all you package. You can install uh this package inside of a infected machine and scan the file system without connection to the internet. For example, Carrick could advance. So to validate the the strategy to remove the malware from the machine, we get a a Windows machine into our lab and infected it with one a cry and after that we use Microsoft safe scanner uh and we did the full scan and after it it indicates that it removed the malware from the machine and to validate We reboot the M machine, run again the MSS F scan and to get a second opinion, we install mite software run uh against the the file system and there was no trace uh of uh one cryer anymore into the file system. Can you advance? But as Jake uh told us there there's a side effect of um of wry it deploys double push our back door uh and this is still a problem um to us that moment and regardless we didn't could validate double pulser was present in the environment we did some tests with different um tools. Uh we came back to management and told uh to to to tell them what we had right now at that moment. And our decision was to get those uh restored or clear machines to users. uh if if we could get them in an isolate environment like a villa environment until they could be uh reinstalled it full reinstalled it. So it was a difficult u decision because those machines were very important to the co to the company. They they they want that that machines to to operate again. So we isolate that machines and returned them to some users. They could do part of their jobs while we in parallel started to reinstall all of those infected machines. Could please advance her? Yeah. Um right now the company is not fully operational. We are still working that there. Uh I'm working on this problem since last Friday through the whole weekend and until now and we are advancing advancing fast. We're starting fast environment. Um we continue to investigate the infection vector. We don't know yet the source of the initial infection. I got I'm in touch with Johannes Yurich and Shavier Metes from some internet storm center sharing some information and get some information from from them to try to understand how this uh initial infection could could uh be done and our initial assumption is that it came with uh EMU fishing but we didn't find any evidence until Now, so uh we have lot of lot of uh learned uh lessons learned um regarding this huge incident in into this company as every every company that suffered uh like this one. Um in parallel to the incident response, we are working on some procedures and uh documents to improve the incident response of this company in a future in a future incident. And I think one one big point here is that um companies like these ones this one are not us u are not uh it's not common for them to deal with incidents like this one big as this one. So it would be good if they could uh conduct some exercise like war games to to simulate some incidents like this one and better coordinate the actions. So um this was what uh I would like to share with you. Then I'm heading back to you. Thank you Yonado. I have one question for you and then we'll we'll ask some questions from Jake. for Jake. Uh, someone asks, "Uh, please tell us what AV product was initially used and what AV product it was replaced with in your incident." Yeah. Uh, Ben, I unfortunately I can't u tell this information. Uh, I signed an um, yeah, non-disclosure. No disclosure. uh we any day we've discussed this company and unfortunately I can't uh disclose any information uh more than I'm doing right now in this life that's fine those dang lawyers got in the way one more time okay back to you Jake so a number of people have wanted to hear about you what you had to say about uh jumping air gap yep so uh I actually did a presentation at distribute tech earlier this year uh and you know I express my opinion and this is based on a lot of work in the ICF community. Uh very rarely do we see true air gaps. Um and so as people worry about and talk about the uh you know the the the air gap, the mythical air gap, it very rarely exists. What they usually mean is we have some uh jump machines or uh bastion hosts or dual home machines, how however you work that term. We hear them called cross domain solutions. Uh but basically there's there's a way for data to get in and out of that environment and if there's not uh my big concern becomes how are you patching that internal that that airgapped environment. There has to be a way to get data in and out. And we we uh really push towards formalizing what that method is uh so that people don't move data in and out of that environment using unauthorized methods. Um the my concern here is is you know coming back to the worm question is it more likely? I think yes. Um and and the reason I bring this up, we see configurer actually a lot today even uh floating around a lot of our ICS environments. And it it bothers me every time that I see it. Um you know, and again this is exploiting vulnerabilities from 200 you know 2008. I I worry then here that uh you know again particularly in these airgapped environments where patches where machines are less likely to get patches uh once it does find its way in it's going to be extremely uh viral uh inside of that inside of that area. And you not not to make another pitch for the uh the tears stopper tool, but if there's a uh you know, if you've got a case where you've got machines behind that you can't patch for whatever reason, just set the start on auto run and it'll at least stop the ransomware from screwing up your day. So anyway, all right, I'm going to try to hit another I'm try to hit another question for you here, Jake. uh when a machine is infected, do you unplug it quickly and uh or or wait until it comes along to to start its investigation? You know, that's going to depend here and and largely on uh you know, largely on the uh you know, the type of attack here in this case would want to crypt. Let's say you actually saw and I'm not talking about the background that pops up that says on Ford oops your files have been encrypted. Uh but the you know if you actually saw the the initial uh the initial drop for whatever reason right you saw the unzip you were looking in your downloads folder it doesn't try to hide it by the way uh and so or doesn't do a good job of hiding it if you've got the hidden files folders turn on you're going to see it um drops right into your downloads directory if you saw that that's the time right there to go ahead and pull the plug. I normally don't recommend this in instant response uh but you know you may save a good number of your files just by pulling the plug. Although the counter to that is that most of the time I want to get a memory dump uh for additional analysis here. Uh if I know that I'm seeing these WCRY files or sorry WNRY files um if I'm looking at these you know a bunch of files dropped and I'm like ah this looks like W to cry I might in that case go ahead or probably would in that case recommend pulling the plug. But this this is a unique case right? Again your goal here is not to investigate. Your goal is to prevent it from encrypting any more files than it already has. All right, Jake J, we're we're running over time, Jake, but I'm gonna if you've got time, I'm going to ask you one more question. Fair enough. No problem. And uh I it's hard for me to know if this is a good question because it sounds so technical that I would I don't even know what I'm saying, but I'm going read it. It's It says, "Is it possible to identify the kill switch without static analysis or using debugger?" Is that a good question? Yeah, sure. Um is is it possible to identify a kill switch domain? Uh you know so so two two parts for this answer. One uh again we already know there's a variant without a kill switch domain out there. Uh I expect that this won't be used this particular anti-andboxing technique won't be used again. Um but uh is there a way to identify it without uh yeah without doing any uh debugger or static analysis? Uh if you throw it into a uh a malware sandbox uh you know any of your normal cuckoo sandbox for instance it's free and open source. If we throw it into Cuckoo Sandbox, we're going to see the request to this domain. Uh you'll see requests to lots of other domains, time.microsoft.com and updates and but but again, you're going to see this call out and you're going to say, "Yep, this is unique to this malware." Uh but, you know, I I have to caution in the future that we don't know what that domain is supposed to do. Right here in this case, it's just the kill switch, right? Uh and registering it is fine and you're good to go. In other cases, it might be a command and control domain. And you know, again, we we just don't know what it's used for in that case, but it's easy to identify just by running the malware inside of a sandbox. All right, thank you very much. Some of us are running out of time. Uh Jake, we really appreciate your input, Yonado. Uh it is uh really valuable for us to to hear a perspective of somebody from another country uh deal dealing uh w with this in a different type of environment. So uh both Jake and Yonado we really appreciate your assistance. Someone asked in the not uh uh questions here. What's to say something about what is this data breach summit? We'll have a summit in September and it's about uh the how to respond to incidences especially more looking at things from the management's perspective and the the challenges that management faces when crises like this emerge. So with that I'm going to say thank you and turn it back over to Carol. All right. Well, thank you so much Jay Hanado and Ben for your great presentation which helps bring this content to the SANS community. To our audience, we greatly appreciate you listening in. For a schedule of all upcoming and archived SANS webcasts, including this one, you can visit sans.org/webcasts. Until next time, take care and we hope to have you back again for the next SANS webcast.

Original Description

Friday May 12 witnessed an unprecedented ransomware attack known as WCrypt, which targeted healthcare, government, telecom, Universities and other industries around the world. Jake Williams and Renato Marinho have been on the frontlines of this ransomware battle since it broke, and will provide an update on the latest facts and analysis in this webcast.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from SANS Institute · SANS Institute · 18 of 60

1 SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
2 SANS Institute Cybersecurity Training Customer Stories
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
3 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
4 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
5 CISSP® Prep Exam, MGT414, by SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
6 SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
7 Information Security Training from SANS Institute - Student Testimonials
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
8 SANS NetWars
SANS NetWars
SANS Institute
9 SANS DFIR NetWars
SANS DFIR NetWars
SANS Institute
10 Hack The Drone - SANS Cyber Academy UK
Hack The Drone - SANS Cyber Academy UK
SANS Institute
11 SANS VetSuccess Immersion Academy
SANS VetSuccess Immersion Academy
SANS Institute
12 SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
13 The 2015 SANS Holiday Hack Challenge
The 2015 SANS Holiday Hack Challenge
SANS Institute
14 SANS VetSuccess Academy: Hands-on Skills
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
15 SANS VetSuccess Academy Overview
SANS VetSuccess Academy Overview
SANS Institute
16 SANS ICS Security Summit & Training 2017
SANS ICS Security Summit & Training 2017
SANS Institute
17 Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
WannaCry recap, patches, and analysis
SANS Institute
19 If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
20 Graduation Day - SANS HM Gov Cyber Retraining Academy
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
21 Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
22 SANS Data Breach Summit & Training 2017
SANS Data Breach Summit & Training 2017
SANS Institute
23 SANS Secure DevOps Summit & Training 2017
SANS Secure DevOps Summit & Training 2017
SANS Institute
24 How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
25 SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
26 SANS Cybersecurity Programs for the Department of Defense
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
27 SANS Pen Test HackFest Summit & Training 2017
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
28 SANS SIEM & Tactical Analytics Summit & Training
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
29 If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
30 SANS Institute
SANS Institute
SANS Institute
31 ICS515: ICS Active Defense and Incident Response
ICS515: ICS Active Defense and Incident Response
SANS Institute
32 SANS Institute
SANS Institute
SANS Institute
33 Introducing the NEW SANS Pen Test Poster
Introducing the NEW SANS Pen Test Poster
SANS Institute
34 SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
35 SANS ICS Security Training, Munich, Germany
SANS ICS Security Training, Munich, Germany
SANS Institute
36 SANS Automotive Summit Webcast
SANS Automotive Summit Webcast
SANS Institute
37 Privesc Playground - SANS Pen Test HackFest Summit 2017
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
38 Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
39 Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
40 SANS Security Operations Summit & Training 2018
SANS Security Operations Summit & Training 2018
SANS Institute
41 Sh*t Happens!  (But You Still Need to Drink the Water) – SANS ICS Summit 2018
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
42 ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
43 You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
44 A Sneak Peak at the New ICS410
A Sneak Peak at the New ICS410
SANS Institute
45 Jumping Air Gaps – SANS ICS Summit 2018
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
46 Introduction to Linux
Introduction to Linux
SANS Institute
47 Introduction to Malware Analysis
Introduction to Malware Analysis
SANS Institute
48 You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
49 Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
50 Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
51 Apples and Oranges?:  A CompariSIEM – SANS Security Operations Summit 2018
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
52 SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
53 SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
54 The Science of Security: The Psychological Impacts of Security Awareness Programs
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
55 How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
56 Practical Advice for Submitting to Speak at a Cybersecurity Conference
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
57 SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
58 SANS Webcast - Zero Trust Architecture
SANS Webcast - Zero Trust Architecture
SANS Institute
59 SANS STX Cyber Range
SANS STX Cyber Range
SANS Institute
60 Part 1 – SANS Institute and Tenable talk about cloud security
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute

The video provides an analysis of the WannaCry ransomware attack and discusses security measures to prevent similar attacks, including patch management, network segmentation, and incident response.

Key Takeaways
  1. Check if you can access the kill switch domains
  2. Set up an internal web server to handle requests to the domains
  3. Configure DNS to point to the internal web server
  4. Don't block access to the kill switch domains
  5. Patch immediately if you haven't done so already
  6. Consider network segmentation for systems that can't be patched
💡 The WannaCry ransomware attack highlights the importance of patch management, network segmentation, and incident response in preventing and responding to similar attacks.

Related Reads

📰
Claude Sonnet 5 Didn’t Just Get Smarter. It Changed the Economics of AI.
Learn how Claude Sonnet 5's advancements changed the economics of AI, making 'good enough AI' viable for production, and understand the implications for AI development and deployment
Medium · AI
📰
Claude Sonnet 5 Didn’t Just Get Smarter. It Changed the Economics of AI.
Claude Sonnet 5's improved AI capabilities have transformed the economics of AI, making it more viable for production
Medium · Machine Learning
📰
The AI Career Toolkit That Replaced My Job Hunt in 2026
Learn how to leverage AI tools to enhance your job search and career development in 2026
Dev.to · freelancewith_ai
📰
The AI Problem Nobody Saw Coming: The Decline Of Curiosity And Meaning
The rise of AI may lead to a decline in human curiosity, affecting innovation and our sense of meaning, and it's crucial to understand this potential consequence
Forbes Innovation
Up next
Man dies after horror Gold Coast house fire; high-speed Sydney motorway pursuit | 9 News Australia
9 News Australia
Watch →