Note: This blog was updated on Monday, May 15.

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

WannaCry Ransomware

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.

Apart from SonicWall security protections in place (listed above), as a best practice we recommend to disallow or block inbound SMB traffic (TCP 445, UDP ports 137-138, and TCP 139) and RDP traffic coming  from the internet on edge-facing Firewalls. If such access is required, implement secure remote access solutions like IPsec or SSL-VPN with proper authentication mechanisms in place.

Apply vulnerability patches on servers and PCs as recommended in Microsoft MS17-010 bulletin (listed above and below), disable SMBv1 communication (limit access via SMBv2/v3), as well as monitor for any suspicious activity on TCP 445.

Resources

Visit SonicWall

FacebookTwitterGoogle+LinkedIn
Brook Chelmo
Sr Product Marketing Manager | SonicWall
Brook handles all product marketing responsibilities for SonicWall security services and serves as SonicWall’s ransomware star. Fascinated in the growth of consumer internet, Brook dabbled in grey-hat hacking in the mid to late 90’s while also working and volunteering in many non-profit organizations.  After spending the better part of a decade adventuring and supporting organizations around the globe, he ventured into the evolving world of storage and security. He serves humanity by teaching security best practices, promoting and developing technology.

You might also like

Innovate More, Fear Less at CETPA 2017 with SonicWall for Your School Network
Read more
Understand the Risks Online Shopping During Black Friday Poses to Your Network
Read more
WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network?
Read more
Bad Rabbit Ransomware: The Latest Attack
Read more
DPI-SSL: What Keeps You Up at Night? Protect More. Fear Less.
Read more

14 comments

Joe S.

Looks like this is specifically blocked by the gateway anti-virus module being activated, though the post simply says CGSS or AGSS, which cover a wide variety of security services.

I always follow the ransomware best practices outlined here: https://support.sonicwall.com/kb/sw12434. But sometimes (specifically for voice applications) the application control can be disruptive to services, so I have to disable it on certain zones.

Would it be possible for someone to confirm which module/settings ensure blockage of this new ransomware? This would be helpful to admins looking to ensure they are providing their organizations the best possible protection.

    Joan Fronske

    Hi Joe,
    Thanks for asking. The following services / solutions all play a part in preventing this threat:

    1. Content Filtering – Restrict access to “Not Rated” will stop a lot of malicious downloads out of the gate
    2. IPS – Prevent SMB vulnerability on Microsoft Systems
    3. GAV- Prevent known signatures
    4. Capture – Prevent unknown malicious files
    5. DPI-SSL – Inspecting Encrypted Communications
    6. DPI-SSH – or rules (including application rules) controlling SSH Traffic
    7. DNS Proxy – or rules (including application rules) controlling DNS traffic
    8. Application Rules controlling proxy avoidance applications and various tunneling (VPN) applications
    9. Botnet Filter
    10. Network segmentation (this was a SMB targeting worm, systems on the inside that were infected offsite and then brought into the network would have spread the infection).
    11. Email Security for corporate email
    12. Application rules restricting, controlling third party Webmail.
    13. Block or do not allow SMB traffic directly from Internet into corporate network servers. For file access, use corporate Remote access solutions like SSL-VPN or IPSec VPN.

PmrbfsInappy

say thanks to a lot for your web site it aids a lot.

Gdbdraberie

I appreciate the info on your web site. Cheers!

Vsbbvenzymn

Keep up the incredible work !! Lovin’ it!

Isbfvoscibe

Love the site– extremely user friendly and whole lots to see!

GfvbfSoymn

Wow cuz this is extremely helpful work! Congrats and keep it up.

FrbfsgAboli

Whoa such a handy web page.

KmrcEnvery

You’ve gotten superb thing listed here.

PmrbfsInappy

Wow, lovely site. Thnx …

Vsbbvenzymn

Amazing web site you have there.

GfvbfSoymn

Wow, beautiful site. Thnx …

FrbfsgAboli

With thanks! This is definitely an outstanding online site!

NndrNotte

Maintain the excellent work and producing in the crowd!

Leave a reply