Worming through SMB
Wannacry’s, the group responsible for the malware, utilizes a propagation method which includes port scanning of potential hosts over Transmission Control Protocol (TCP) port 445, which is where the Server Message Block (SMB) network communications protocol take place.
This application-layer protocol is being targeted by Wannacry specifically to help it spread like a worm. SMB is designed to enable access to shared directories, files, printers and serial ports, among other resources.
To find its way into new endpoints and networks, the Wannacry malware leverages two SMB-exploitation modes borrowed from the Shadow Brokers exploit leak. It starts by trying to get through using an existing backdoor called DoublePulsar. If that backdoor does not exist, it launches a new exploit on the target using what’s known as EternalBlue.
Really, the best defensive is an effective offense. The steps below outline what you can do to protect your organization:
- Verify all Windows versions of software have the most recent updates and security patches properly installed.
- Make sure you have current Anti Virus/malware products installed and universally updated.
- Increase protection by utilizing a ransomware specific mitigation product like Sophos InterceptX on all end user and server operating systems.
- A current generation firewall that is monitored for security and is properly updated with manufacturer software updates will be key.
- Block suspicious activity on port TCP 445 on your firewall and have proactive monitoring of the device.
- Implement an automatic off-site backup of all end user data files.
- Increase end user awareness through internal knowledge transfer of potential ransomware techniques.