LIVE Updates on the UK Ransomware Attack
May 15, 2017
Simon Townsend | Chief Technologist | Ivanti
Chris Goettl | Director, Product Management, Security | Ivanti
Phil Richards | Chief Security Officer | Ivanti
Matthew Walker | AVP EMEA Product Specialist | Ivanti
On Friday the news broke: a massive ransomware attack which started on the UK NHS immediately spread to global proportions. The attack has now impacted over 200,000 organizations in 150 countries. Our security experts have received interview requests from across the globe. We want to make sure our customers and friends know exactly what happened and what they can do about it. So, Monday (AM in the US and PM in the UK) join our brightest security minds for a LIVE panel discussion of the massive breaches and what it all means for you.
During this webinar, the following points will be discussed:
- Current situation
- Ivanti Get Well Quick offer
- Why it is spreading so fast
- Anti-virus as a layer of defense
- How patching fits in
- The killswitch
- Preventing threats with a layered approach
- Question and answer session
McKay: Welcome everyone, my name is McKay Allen. I'm the Director of Digital here at Ivanti. We're excited you’ve joined us on this ransomware panel discussion webinar. We wanted to get our best experts in front of you as quickly as we could after everything that happened globally over the weekend. We have a fantastic group on the call today. They're going to have kind of a free-flowing conversation about what happened, and they have some slides. We encourage you to ask questions.
Two quick announcements before we introduce the panel and get started: First, we encourage you to ask questions during the webinar today. Please click on the Q&A button on your webinar panel to ask those questions. We'll moderate them and ask them to the panel once they've finished their presentation and discussion. Second, on the ivanti.com main page, there's a big Breaking News banner. Associated with that banner is a link that has daily, and sometimes more frequently, updates. It's a link to a blog post where our experts post updates with the latest news multiple times a day, so please visit that as well.
With that, why don't we introduce the panel. First we have Simon Townsend, who's our Chief Technologist in EMEA; we have Phil Richards, who's our CISO here at Ivanti; we have Mathew Walker, who's an AVP and a Security Specialist in EMEA; and we have Chris Goettle, who some of you probably know from our Tuesday webinars. He's our Director of Product Management for Security. Gentlemen, thanks for joining us today. We appreciate you doing this on short notice, we put this together quickly over the weekend. Simon, I think you're starting us off. So thanks panel, we appreciate it, and welcome everybody to today's discussion.
Impact of the ransomware attack
Simon: Thank you, McKay, and thank you to everyone who's attending this webinar. We're going to jump straight in, and I want to kick it off by explaining the purpose of the webinar and why we've called this webinar and panel together so quickly. On Friday afternoon, the 12th of May, 2017—I think that’s a date we're not going to forget for some time—on Friday afternoon at some point, the news broke that the NHS in the UK had come under attack by a new variant of ransomware. Initially, it looked as though the attack was targeted at the NHS, and it seemed to be spreading incredibly quickly. News and reports were popping up across a three- or four-hour period beginning about 1:30pm GMT on Friday. By the time it reached 8pm GMT, it was very clear from the ransom they were asking, the way it was spreading, and that it had spread further than the NHS, that this perhaps was being done for a different reason. Perhaps we had something far larger in terms of scale and size that was, in fact, going global.
As it stands at the moment, it's infected about 200,000-plus devices across about 150 countries. It's being taken very seriously by a large number of governments. I am pleased to report that the last incident reported from the UK NHS was around 10:30–11:00 this morning. It was our decision, however, at Ivanti late Friday night UK time, after speaking with various teams, to pull this webinar together to help our customers and our partners understand exactly what happened, what it was about, and more importantly, that Ivanti wanted to help. This isn't, by any means, an opportunity for us to sell. There are times we would love to talk to our customers and sell our software, but this is not one of those times.
Free licensing offer
Purely and simply, Ivanti pulled this webinar together to do two things. First, to educate people on what steps they can take immediately to prevent further attacks and clean up any attack that may have taken place. Second, to announce we are offering 90-day licenses for our Patch solution to all of our customers. This is an offer we've worked out with our executive team, and we are pleased to announce and promote it today and for the remainder of this month, in fact, all the way until June 15. We're going to talk more about how you get that offer later, but you'll see there is a link at the bottom of the page. Anyone attending this webinar, in fact anyone who needs to protect themselves against these attacks and get their systems patched can go to that link and get our software immediately.
The name of the ransomware
So without further ado, I'm going to ask our own CISO to comment on what we now know as the WannaCrypt ransomware, and the various names it's been given. I'd like Phil to talk to us about this particular ransomware and explore why it's different and how it's become so widespread. Phil, first of all, what is it called?
Phil: Sure, Simon. The current version of the software is called WannaDecryptor 2.0. It's in the family of the WannaCry virus, which has been around for quite some time. A virus family means there are a number of versions or incantations of the software. This one is particularly pernicious, and we'll talk more about why that is later. Other names you may have heard associated with this include Wcry, WannaCry, WannaCryptor, WannaCrypt, WannaDecrypt, those kinds of things. Each of those names is attached to a different variant of the virus. The current one is called WannaDecryptor 2.0, and it is ransomware.
Simon: Excellent. And this ransomware is entering organizations via phishing emails?
How the ransomware gets in your system
Phil: There are a variety of ways it initially gets in, which aren’t a lot different than other ransomware out there. The thing that makes this significantly different, however, is how it replicates throughout a company once it gets in. The first time it comes in, it might be through a phishing attack or a number of other methods that have been used in the past, but what happens to it after it gets in is really the next part.
To go into that a little bit more—basically, what this software does is it has a wormlike component, and what that means is the software has the ability to replicate itself to other machines and other devices within the network once it gets into your network.
It is using software known as "EternalBlue," that's EternalBlue exploit and was actually created by the NSA, the National Security Administration in the United States. That particular exploit was stolen and leaked by a group of hackers known as the Shadow Brokers. It's this piece that adds some significant complexity to this ransomware and that makes it chew through or go through a network very, very quickly. The EternalBlue exploit is a family of exploits. It’s not just a single exploit, it does a lot of different things, and a lot of where it is focused is in a protocol called SMB, which is one of the protocols that allows computers to talk to each other across a friendly network.
Simon: There has been, as you read various articles, a small amount of confusion, particularly if you looked at the news breaking on Friday, and as people started to dive in and look at exactly how it was made up. There was confusion about was it a typical piece of ransomware, for example as we saw last year with the Locky virus. Was it a worm? Was it a vulnerability? When you're trying to answer those questions and you're trying to help remediate that, you can end up with different answers, right?
If it's a vulnerability, surely it needs patching. If it’s a piece of ransomware, it needs detecting and it needs to be prevented from executing in the first place. This one sounds like it's all of the above. It's almost like the meeting of the vulnerability and the piece of ransomware that's not only encrypting those files, but also spreading through these SMB shares, is that correct?
Phil: Yes, that's exactly right. One way to think about it is a lot of ransomware today gets cobbled together with components from other successful ransomware, and then certain elements get changed and that kind of thing. This particular ransomware has significant complexity and is actually cobbled together from several sources, but the WannaCry component, which is the ransomware component, and the EternalBlue, which is one of the wormlike components in this ransomware, are two of the more prevalent pieces. There is additional complexity to this software underneath, as well. So yes, it's a fairly robust piece of ransomware that has wormlike capabilities and virus capabilities and more.
Simon: Yes. Now, from an NHS point of view, the UK relies on a free national health service, and the fact that accident and emergency departments have had to close down, people have had operations canceled, for us and for those people, it's pretty horrific. But if it starts to spread and asks for a ransom to allow people to get hold of their data again—$300 to $600 ransom is not a great deal. Does that tell us anything?
What we know about the ransom
Phil: You know, the interesting thing about this is the ransom is being exacted at between $300 and $600 in Bitcoins, and one of the really nice things about Bitcoin is that even though it's an anonymous method of making a payment, it's completely visible. Those Bitcoin accounts, and there were three Bitcoin accounts hard coded into this ransomware, are available. You can actually see the balances in those accounts, and so far, because of the worldwide attention on this malware, the perpetrators have not attempted to remove any of the funds. I think they are probably nervous about being discovered if they try to remove the funds. The accounts, at least a couple of hours ago, have about $48,000 in them. We have this worldwide infection, and you might expect there to be millions of dollars in those accounts, but so far, most people are not paying the ransom, which is a good thing. The reason ransomware works is because it's lucrative for the people who create the ransomware. If somebody has put a ransomware together that is this complex and it's only earning them $48,000, and there is so much visibility on it they might never be able to get the money, that is a disincentive for future ransomware, which is a good thing.
Simon: Okay, what about antivirus fail? AV should ultimately stop these types of things.
The AntiVirus fail
Phil: As of Friday morning, about 30 percent of the antivirus software products out there were able to correctly detect and deter or remove this ransomware from systems. Now, of course, all of the major antivirus software providers will be able to detect, isolate, and remove this software.
This is actually a really important point. Antivirus is a very effective and important part of your security infrastructure. However, it can't be the only thing you're doing, because if you happen to get hit at the wrong time, you stand a fairly good chance of the malware getting through or not being detected by the antivirus product you have. Antivirus is an important layer in the defense in-depth discussion, but it is only a layer, one layer. It's something you need to do, but by no means should it be the only thing you depend on.
The importance of patching
Simon: Yes, and that quite nicely takes us to patch. Chris, you're the Director of Product Management for all of our security portfolio. Tell us a bit about the patch. There's been lots of talk around patch, patch, patch, that's what I've heard in the past 48 hours. Phil has suggested that part of this is due to the vulnerability in the SMB. Was this already patched?
Chris: This conversation's come out in an interesting way. It's not unlike most ransomware as far as how it gets into an environment, a typical phishing scam through a variety of vulnerabilities—a browser, flash player, things like that. Once it gets into the system is where things get interesting. The attackers in this case had kind of a perfect storm coming together all at the same time to be able to make this thing spread so quickly.
The SMB protocol is going to allow this vulnerability of a lot of ransomware attacks propagating at a faster rate than any we'd seen previously. The SMB update has been available since March. Microsoft released the SMB update for all current operating systems back in March, on Patch Tuesday, so it was available in either the security-only or cumulative rollups that were available for Windows 7 and above, for servers and workstations. We've had roughly two months to get that in place.
The challenges come around the complexity of trying to push an update like this. There were significant changes to the SMB protocol as part of this, so you have companies concerned with pushing this update and potentially breaking things throughout their environment. They had to do additional testing and validate that it wasn't going to adversely impact them, which caused a lot of companies to be slow to roll this out. There were also a lot of cases where older platforms that are no longer being supported were not able to get that update.
This presents a pretty significant challenge. You have outdated software, end-of-life software that's allowed a vulnerability to be available out there on many systems. The Chertoff Group had a great announcement earlier today that talked about this, but one of the things that's been propagating this even more is the number of XP and 2003 systems out there that did not have this patch available and were, in a lot of cases, bootleg software. People using that have no ability to patch, they can't patch those systems. That's allowed this thing to spread even faster, so much so that Microsoft, over the weekend, released an updated version of the SMB protocol for older platforms—XP, 2003, and Vista. They've released an out-of-band patch because they recognize how quickly this is spreading.
What you're looking at on the screen right now is something we talk about quite a bit, that is taking time to patch, the challenge of getting updates from the day of release out into an enterprise. Let me kind of talk through this and talk about a few of the challenges out there. To the left of day zero when the update is released, we have an amount of rising risk. There are unknown vulnerabilities, the things that at some time may come to light. There are public disclosures, and in this case, the disclosure of this SMB vulnerability from the Shadow Brokers group is what allowed this to get out to attackers. They had ample time to develop an attack. On Reddit, I read a very interesting spread where people were attacking the NSA and the whole issue around keeping vulnerabilities like this under their hat. I don't condone any company for holding on to a vulnerability like that and not privately disclosing it to the vendor so it could be addressed.
The biggest thing here though, I think either way, whether it was addressed when the NSA first found it or recently as we saw, I think we would have had the same challenge. There were many systems that were not going to get updated because there was no update available: XP, 2003. There are still a lot of companies out there running a lot of those. There was the concern about rolling it out too fast and potentially breaking legacy application. I think if the issue had been raised a year ago or even further back, we still would have seen the same issue.
On day zero, back in March, the update was released for this SMB set of vulnerabilities. It wasn’t only one, there were several issues addressed. There is a critical point where you have a window of time to try to put this in place before exploits start to occur. If it's a zero day, as quickly as possible is the way to go because it's already been exploited before the update was available, but usually, when you get to that two- to four-week period (if you keep up with the Verizon breach report, back in 2015 they pulled together a lot of interesting information around how quickly exploits occur), 50 percent of exploits that are going to be exploited have already been exploited. When you get to 40 to 60 days, that goes up to 90 percent.
We're in that 40- to 60-day window right now. If you don’t have the update pushed out that's going to block that vulnerability, it's already going to be exploited in that timeframe. If you look to the far right, that 120-day period is the average time a large enterprise takes to get updates in place, so we have a timeframe issue. Getting updates, especially at the scope and complexity of this SMB change, in place is a big challenge for companies.
Simon: Okay, Phil, there was talk of the kill switch.
The kill switch
Phil: Yes, let's have a quick discussion about this. I know that's probably a term people have heard associated with this piece of malware, and I want to describe what's going on. Essentially, what happened was—and I'll tell you the story first and then we'll talk a little about what the kill switch is—what happened was a researcher got this malware into his isolated environment. One of the things researchers do is take that software and exercise it to see what it tries to do. This particular researcher noticed that one of the things it tried to do was make exactly one call to a specific URL, to a specific website. He noticed also that the website was not owned by anybody and actually didn't exist as a website. One of the first things researchers do in that scenario is procure the website. They go somewhere like godaddy.com, or something like that, and purchase the website. I think this researcher purchased it for about $10. What he did then was put a server on the website, which acted as what's known in the industry as a sinkhole. Any conversation to and from that website or any files sent to that URL go into the URL and don't go anywhere else.
The researcher purchased the URL and created a sinkhole. For everybody being infected who was attached to the network, that effectively stopped the attack. What happens is the malware checks for the existence of the kill switch. If the kill switch exists, the malware stops. Further infections have tailed off quite substantially as a result of having that kill switch activated, which happened late in the afternoon on Friday.
That's what the kill switch is, and for this particular variant of malware, if you have a network-attached computer that gets infected, it will call one time only to that kill switch. If it finds it, it will stop the attack right there. If it doesn't find it or if your computer is not attached to the network at that time, it will continue to infect the machine.
Simon: Okay. In summary: It is a piece of ransomware, it uses a vulnerability to spread incredibly quickly, and there are now patches available across supported and nonsupported XP, 2003 server operating systems. With everything crossed, our AV should pick that up, protect that, and do what it needs to do. Chris, do you think we’ll see more variants of this moving forward?
Chris: There is a lot of speculation about that right now, and I think a lot of people agree this kill switch was a respite. We have a short breathing period here, but more variants will likely be on the way that don't include a kill switch. It's a strong likelihood we're going to see more of this before we’re out of the woods.
Simon: Which is worrying, right?
Chris: Yes, absolutely.
Simon: At the start of this webinar, I highlighted that we're announcing this offer, we're going to give our software away to help people patch their systems. I'm assuming those new patches are included in our solutions as well, am I right?
Chris: Yes, absolutely. Our teams worked through the weekend to make sure we could support the XP, 2003 updates in all of our software catalogs, and we kept an eye on the WSUS and SCCM site, as well. We do have an SCCM plug-in that allows you to publish additional updates there, as well. Since we haven't seen that get out into that catalog yet, we're also going to publish the ability to push that out through our SCCM catalog. The end-of-life platforms that Microsoft released a public update for, we will support across all of our catalogs.
Simon: Perfect. I know that’s a question people who are existing customers were asking on the webinar already.
So, next steps. Let's not talk about product, there will be enough organizations out there trying to sell various technologies and products that could have or should have prevented this. What's our take? This is a slide we've been talking about for some time. Phil?
Phil: This is something we’ve talked about for quite some time, which is a layered approach to security will help provide a good defense in depth. We talked a little about it when we talked about antivirus, how AV is one of those layers from a defense in depth perspective.
Four ways to protect your environment
This slide talks about a framework we at Ivanti have adopted from the Center for Internet Security, which basically states that these are the top four activities that need to be addressed as you're looking to defend your environment. The first two have to do with patching. Patching the operating system—as Chris said, there's a patch available from Microsoft. In addition to patching the operating systems, you need to patch the applications, as well. One of the things we talked about earlier is that this ransomware is very complex, and it has the ability to avail itself of vulnerabilities that exist not only in Microsoft's software, but elsewhere. You need to be patching other applications, as well.
Application whitelisting is the process of making sure the applications you want to run are the only ones allowed to run in your environment. This ransomware would not be on the whitelist and, therefore, would not be allowed to run on your systems.
Then there’s minimizing privilege, administrative privileges. One of the things this ransomware does is reach out via SMB to all of the networks you are connected to. If you're running under administrative privileges, it is able to find more network connections and write to those network connections. It's able to encrypt more files by having administrative privileges local on your machine. If you're running as a regular user, there are fewer files that can be encrypted. It's important to have that defense in depth kind of approach to how you want to protect your environment.
The CIS security framework
Simon: And Chris, Phil mentioned the CIS. CIS produce, I think they're on version 6 at the moment, they produce a long list of critical security controls. That can never move, unless with things moving up and down and these four things appear in the top five in the latest version. But it's not just the CIS that are producing these lists, right?
Chris: Right, absolutely. One thing we've done within my team is choose the CIS framework to give a good frame of reference for everything we do with our security products. It's good to choose a framework that has really good guidance, and one thing we liked about the CIS is it gives good prioritized guidance.
The CIS also works very closely with other groups, the Australian Signals Directorate is one of those. The statistic you see at the top there, that 85 percent, that is a study the Australian Signals Directorate did to prove that if you do these four things effectively, you could eliminate or mitigate 85 percent or better of the types of intrusions we face today. When you talk about this particular ransomware, the way it got into systems was through phishing scams. You want to educate your users. The more you educate them, the lower risk there is they’ll click on something. You also need to patch beyond the Microsoft operating system. These types of phishing attacks are going to come through browser exploits, email exploits, Flash Player, and other media player products that exist in your environment. Education and use of third-party patching, especially, will help mitigate the way this type of attack gets into an environment.
Application whitelisting: If something got by, maybe it was a zero day, and the update wasn't available yet to plug the method used to phish the user and get that payload to launch. A good application whitelisting policy will block that untrusted payload.
These layered defenses help to reduce the effect of this type of issue. Patching the operating system in this case, if this SMB update had been in place in more organizations, it would have stemmed the quick propagation of this particular piece of ransomware.
Minimizing admin privileges: It's very important to understand that if I give everybody in my organization full admin rights and an attacker exploits the system, it’s going to have the equivalent rights as the user in most cases. Reduce admin privileges, give users just enough rights when they need them, this will help to reduce the ability of an attacker to pivot and move laterally throughout an environment.
All of these coming together give a very robust layer level of protection. Antivirus does play a part in this, but it's one of those things where antivirus is the thing that happens when other controls have failed. That's where exhaustive protection mechanisms, for example, the CPU intensive way of cleaning something up is to clean the mess up after it happens. We want to try to defend it before it happens, but that AV solution in there as well is important to add that additional layer of defense.
That's what this layered approach is about—making sure we have zero day protection, we have protection after the update is pushed out. We have protection at the OS level and the application level. We have the ability to reduce admin rights so an attacker doesn't own the system if it takes over. It may have to work even harder to get further into the environment.
Simon: Okay, good. Mathew, you’re sitting next to me, and you've been with our business for quite some time. You've been talking to some customers over the weekend who we've been helping already, correct?
Providing protection to our customers
Matt: Yes. We've been able to assist customers over the weekend who did not have our security patching. In some cases, they were in quite dire circumstances. We were able to help build patch deployment over a very short time and enabled these customers to take back control of their IT environment. We are, therefore, now supporting a growing number of customers who are without patch solutions deployed, or who want to implement a short update of their security patches. This is the base level of multilayered approach or defense in depth as has been mentioned and is recommended by major government cybersecurity bodies such as the NCSC in the UK. I'm pleased to see that the offer we have made to customers, we are now making available to the wider Ivanti community.
Simon: Good. I think it's important to know, Chris and myself and our website—you can go to our website—we have a portfolio of solutions that can help in all four areas, but I think the point we want to really try and get across today is that these are principles. This is less about the technology, less about the vendor and the technology being used, and more about the principles. We need to ensure we are taking a preventative approach moving forward. There are ways you can patch your operating system using Microsoft tools. There are ways you can implement application whitelisting, privilege management, and removal of admin rights within the Windows operating system. Should you want more information on our solutions, that's fine, but please know this is about our recommendations, and these organizations' recommendations on these four key principles.
So, where to go to next? Chris, do you want to give us a little more information about what we are offering today?
Chris: Absolutely, Simon. One thing Phil talked about was the encouraging look at how much money has been paid out so far. It looks like people are not paying the ransom. We also encourage not paying the ransom. Microsoft has done a very encouraging thing, which was to release this SMB update for end-of-life platforms to make sure we could help stem the spread of this particular variant and other copycats that may come behind it.
Ivanti wants to help reduce the impact globally, as well, and for that reason, we are offering a free, no-strings-attached use of our software to help you patch your systems. It is a full-featured license of our product for 90 days, and it will help you roll out these updates. When you go to that get-well-quick landing page, it's going to ask you a couple of quick questions. It needs to know if you're using SCCM or not. That's how we'll trigger which product to give you. Then it's going to ask how many endpoints you're doing. This is not just a 50-seat trial, this is our fully licensed patch solution for the total number of endpoints you're managing in your environment. Give us those counts, and we’ll give you a license for 90 days to be able to go and do that. As Simon was saying, we're doing this because we want to help the global community stop the spread of this huge attack. That's the bottom line here. We want to help our customers and others who are trying to resolve this issue quickly.
This is for more than current customers. I know I saw a couple of questions already asking is this for prospects as well. Yes, absolutely. It doesn't matter if you're a current customer today or not, we want to help you stop the spread of this vulnerability, so go to that ransomware "get-well-quick" page. It will be live here shortly, if not already. The teams were working to wrap up the final processes and get ready to start handling people's requests coming in. You'll have until June 15 to request a license. Again, that license is good for 90 days for the seat count you give us, and again, no strings attached. As for the Ivanti blog, we’ll continue to post information relevant to this recent spread of ransomware, and keep forwarding that or attaching it to our main blog. We’ll continue to do that going forward until we know we're really out of the woods on this one. We have some great recommendations and best practices on our Ivanti and Shavlik communities for those of you who are familiar with Ivanti. At the start of this year, we were several brands, but now we are one brand under Ivanti. We have large customer bases under some of those brands, still, that are on different communities.
There's a lot of really good information for our current customers depending on which products you're using that will give you the guidance you need to identify which updates you need to push and what you can do to reduce the impact of the flow of this ransomware. A lot of the in-common questions we've been getting over the weekend—and there have been a lot of questions—we've put onto our community to make sure everybody has access to this information to help resolve this as quickly as possible.
Simon: Thank you, Chris, we appreciate that. I think we're about 38 minutes into our webinar. It took a little longer, but we do want to open it up now for Q&A. I will bring McKay back on. McKay, have you got some questions for us there?
McKay: We have a lot of questions, Simon. Let's get through as many of these as we can, everybody. First question, a lot of people have asked this, why did this one specifically spread so fast? We've seen this before, and they’ve stayed relatively contained. What made this one explode so quickly?
Why did the ransomware spread so quickly?
Phil: Let me see if I can take that. Really, the part of this software that's allowed for such a huge explosion has to do with the addition of the EternalBlue exploit. That exploit was created by the NSA and was leaked by Shadow Brokers, and, actually, about a month ago on April 4, sorry, back in March, March 14, a patch was available for that particular exploit. That patch is only about 60 days old now, and if you remember the graphic that Chris Goettl showed, 60 days is pretty young for a massive vulnerability like that. Therefore, a lot of systems remain vulnerable to it. In addition to that, this vulnerability is available, I guess, in previous or obsolete versions of the operating systems, as well, like XP, Vista, and Windows 2003. Those versions still have quite a large install base in different regions of the world. So there are a number of reasons why it ended up being very explosive.
McKay: Okay. And then, talk me through this: people are asking, as well, is the kill switch a temporary fix or is this a true kill switch? Also, why was it there, was this sloppiness on the part of these guys? What's the deal with the kill switch? We're getting asked a lot of questions about that.
What’s the deal with the kill switch?
Phil: A couple of good questions there. The kill switch is a permanent solution to this variant of the ransomware. It’s unique to this variant of the ransomware, so previous and future versions of this ransomware either won't have a kill switch or won't have this particular kill switch. Ransomware vendors, ransomware providers, I guess, if you can call them that, have kill switches in their software from time to time, because it's an easy way for them to turn off the ransomware worldwide at some point. It's part of the lifecycle of ransomware. The criminals know ransomware has a birth, a life, and a death kind of event, and they can choose the death event by including the kill switch.
I tend to agree that the addition of a kill switch was rather sloppy coding. Ransomware and malware, in general, is cobbled together from preexisting pieces of ransomware, so it might be that this particular kill switch existed before and was inadvertently added into this piece of ransomware. Either way, the kill switch was identified and was quickly activated, so we caught a break.
McKay: Okay. We're also getting questions about this, so I'll read this the way it's been asked: "What's being hit the most, workstations or servers? Describe that relationship and what's being impacted most dramatically here. How did that work?"
What did the ransomware hit first?
Chris: I'll take this one. It's hard to tell based on the information that's being shared right now. You can count on the fact that the first hit were workstations. This is where an attack is going to come in through a phishing scheme of some sort. But the SMB exploit, in this case, allows attacks to spread to servers and workstations. We do know that servers were hit, as well, but the entry point was in more cases likely the endpoint, a situation where you had a user involved.
I did see another question asking if application whitelisting or blocking applications would have helped here. Yes, absolutely, because you would be blocking untrusted payloads. If those payloads aren't signed properly, if they're not on a trusted list, they would be blocked, so that would have helped in a lot of cases, as well. Companies that had and effectively implemented whitelisting capabilities or application control capabilities would have been protected a lot more against this type of attack.
McKay: Okay. We have other people asking about specific Microsoft patches. They ask: "These numbers and stuff are confusing. Bottom line, if the May security rollup is installed, does that patch this vulnerability?"
Locating the Microsoft patch
Chris: That is a really good question. The March update was the last time Microsoft had a bulletin, but before that, they had already changed over to the cumulative rollup model or bundles. I've even heard a customer ask: "How do I know? What do I need to report on to know that this is in place?" The bottom line is, if you in March, April, or May, had pushed out the security-only bundle or one of the cumulative rollups for the operating system, in any of those months, you would have plugged the SMB vulnerability. So you're looking for the rollup or the security-only bundle. MS17-010 was the bulletin this was addressed under, but that bulletin was part of either the security-only bundle or the cumulative rollup for that month, whichever one you pushed.
There are KB articles on the community that have a list of which updates those were specifically, in our catalog, to help you identify those, as well. Those KB articles on the community are trying to help people identify the cumulative rollup or the security-only bundle that specifically addresses it, instead of saying MS17-010, which you won't find on the system.
McKay: Great. We’ve talked a lot about Windows and Microsoft, but is this impacting other OS, as well? How broad does this go? I know there's probably a lot there, but what are your thoughts on that, panel?
Which OS does the ransomware attack?
Simon: This particular one is Windows only. The particular vulnerability that needs patching is on Windows systems only. I fear there's a question out there that asks is there any risk for Windows 10 desktops? The answer to that is yes, there is a risk for Windows 10 desktops if they haven't been patched, as per Chris's last point. There's nothing to say, at this stage, that there are any vulnerabilities or exploits similar to this one that would affect any other operating system. At the moment, it's Windows workstations and Windows servers.
McKay: There are several more here, and I'll just try to weed through these. Andrew asked: "Will the ransomware hit the workstation that got phished even if you patch the SMB vulnerability?" And we've also had people ask: "If this has already happened to me, can patching stop or fix this midstring?" There two different questions there, but related.
Will patching after infection help?
Simon: Yes. Very good questions. Let's take the first one, the ransomware that came in initially. I think it's still up for speculation as to how some of this ransomware actually entered an organization. Chris mentioned earlier that we believe, and there are reports, that it came in via a phishing scam. We've also touched on the fact that it spread as quickly as it did because of the vulnerability. Assuming the vulnerability was patched, that piece of ransomware still has the ability to come in via a phishing attack and ultimately download and execute a payload, which would at least encrypt all of the local files, probably files on the shadow copy, and files on any mapped drives. My thoughts on that, and Chris you can confirm, my thoughts would be that it would act and respond more like what we saw, dare I say, with the Locky virus of last year.
Chris: Correct. If you had the SMB updates in place, you would have stemmed the spread of this through your environment. Every system that got hit would have been hit individually through either a phishing scam, attachment, or some sort of attack like that to get on the system. But you would have stopped the massive spread throughout your organization. It would have been a lot more localized.
Simon: Yes, and I think we come back to application control or application whitelisting and the need to do that. When you implement something like application control, you’re not only implementing a solution that controls .EXE files, but also implementing the solution that is looking at all types of executables—DLL files, OCX files. You're also implementing a solution that has the ability to tell the difference between a trusted script and a nontrusted script. If the phishing attack is utilized in VBScripts, PowerShell scripts, ZIP files, changing registry keys, trying to use existing executables, admin tools like CMD, .EXE, and the like, then an application control, application whitelisting solution, would ultimately prevent all of those phishing techniques in the first instance.
The second question, McKay, sorry, remind us what the second question was asking about.
McKay: The second question relates to what if this is already happening, and we install this midstream. Is it going to stop things? What's the impact of this if we've already been hit? Can we install patching and life's better?
Simon: Installing the patch is going to stop the spread of that particular piece of ransomware. I'll hand over to Chris, but if we think back to Chris's slide where we spoke about two to four weeks, 50 percent of the exploits, and 90 percent of the exploits after that, I think if damage has been done on one or two systems, there is a strong likelihood the damage has gone,further than you may initially think. Do you agree with that statement, Chris?
Chris: Yes. The biggest thing, at this point, is pushing out the update will help reduce the flow to other machines. If the ransomware is already on the system, if it got past the other security measures, it's down to AV to clean it up. That's where AV is definitely a critical part of this layered approach. Continuing to push those updates out will help to reduce the potential eventuality of reinfection and the reintroduction of it back into a system.
If you remember back to Conficker, back when I was still an SC, we had a lot of customers who, even after getting their system cleaned up, got reinfected because they didn't plug all of the holes. You need to make sure you patch the SMB update. You need to make sure you patch the browsers, the media player products, all the other ways the phishing scam can let the ransomware back into the environment, so you don't get reinfected. You also need the AV solution. Make sure your signatures are up-to-date, that it's running and cleaning up the infected machines. So it's a combination of things you need to do, but patching, even if you're already infected, is still very critical, otherwise reinfection is going to be a challenge.
McKay: Now, we have people asking about specific patches, so I'm going to throw some stuff at you here. We have several people asking, do we use MS17-010 or the cumulative patch? Thoughts on that and exactly how they plug this hole?
Chris: The MS17-010 was the bulletin Microsoft announced that included all of the vulnerabilities being resolved for SMB. That bulletin was part of March's rollup of updates and is where they documented everything. The cumulative rollup or the security-only bundle for the pre-Windows 10 systems is how you get that bulletin.
McKay: All right, a couple more and then we'll close. We have several questions about AV. Does AV clean these up? What AV do you recommend? How big a part of the overall solution is AV?
What is the role of AV?
Phil: I can take that one real quick. As I mentioned, on Friday about 30 percent of AV vendors were able to correctly identify and mitigate this issue. What they were able to do was, based on the signature of the ransomware, identify it and stop it from executing before it encrypted anything on your systems. As of today, most if not all AV providers have the ability to correctly identify that environment.
In terms of which AV vendor to select, we at Ivanti are partners with Bitdefender and Kaspersky, both of which were able to identify this as of Friday morning. I guess the answer is, you need to do your research and figure out which AV vendor is most likely to provide you with the best service. I think that's where that goes.
McKay: So, let's finish up here by going around the panel and making sure everyone knows exactly what their action items are. And again, I view this as you said at the start, Simon, as less of a traditional webinar and more as a collaborative. What are our action items leaving this call? If I'm on this call and I'm worried about this, what do I need to do right now? Chris, do you want to take that in terms of what people need to do or install?
The action items to do today
Chris: Yes. What do I need to do right now? Make sure you have your system update and are able to start patching.
McKay: Phil or Simon, give us our action items right now.
Simon: My number one recommendation would be, to Phil's point, go and speak to your antivirus provider. Make sure you have the latest updates and confirm they can at least detect whether this piece of ransomware has infected your environment. That’s going to give you a good gauge on whether you have been attacked and whether you're currently vulnerable.
The second point, once you've done that, is very quickly afterwards get the patches from Microsoft or a third-party patch solution onto your Windows-based environments, focusing your attention first on Windows XP and Server 2003. There is a strong likelihood that if you have Windows 10 in your environment and you have a good patching discipline, those systems will already be protected. I would start with the highest-risk machines first.
Once you've done that, you will be in a very good position. Your AV will have given you good indications of whether you've been infected. Your patching will ensure that if you have been infected, that vulnerability no longer exists, and that piece of ransomware cannot spread any further within your environment.
At that point, it will be a case of looking at remediation and fixing those machines that have been infected. Depending on your AV vendor and on what took place on your machines—whether your users had admin rights or not—will determine whether you're able to restore some of that data using antivirus, or whether you're going to have to restore some of that data using backups in another way.
Lastly, once you've cleaned all those infected machines and you're back in a good place, perhaps it's time to start looking at ways you can protect against ransomware attacks moving forward, for example by removing local admin privileges and/or implementing application whitelisting.
Phil: Another thing you want to look at is making sure your network of appliances is not blocking the kill switch URL. The kill switch is 42 characters long, they're random characters, and it has a .com at the end. You need to make sure all your machines have access to that URL. As of today, that's one of the better ways to make sure you don't continue to get infected. Make sure you have a clear path to that kill switch URL.
Simon: That's a good point, and that is probably near the top of the priority list and one of the simplest things you can do right now. Correct, Phil?
McKay: Okay. Simon, would you go back to the previous slide with the URLs on it, so we can have that up on the screen?
McKay: Thank you. Any final thoughts, panelists? I'll go through a couple of announcements, but any final thoughts for the group before we close?
Simon: None for me. I think we all have to get on and try and get back to the place we were prior to last Friday.
McKay: Phil, any final thoughts for me.
Phil: Yeah, we're at war. This is a battle with criminals. By paying this ransom, we're giving them an incentive to do this to us again and again and again. Let's think about the fact that we're at war with criminals, and we want to make sure we don't provide them with that kind of incentive. I'm really encouraged by the fact that only $48,000 of Bitcoins have been transferred. But $48,000 might be enough for somebody to say, "Yeah, it's worth it, let's do it again." Remember that this is a battle.
Matt: I think the only thing is to say that we are in the process already of helping and supporting customers. As we said on the call today, we want to reach out to help our customers and those we would call prospects. Please get in touch with us, and we'll be glad to support you.
McKay: Great. Gentlemen, thank you for doing this. We appreciate it. Everybody, thank you for joining. Before we go, note the URLs on your screen. We are willing and able, if this thing continues, to provide updates. We may do a webinar later this week where we talk about what’s happened in the past 48 hours, so watch for that. Go to ivanti.com. In the main area on the home page, you’ll see a big banner that says Breaking News with a link to a blog post that is constantly updated. Chris, Phil, Simon, Mathew, the security team will post updates there regularly. That's your source. That’s where you go to find out what's going on and how you need to fix it.
One other thing I would say to these guys on the call is thank you. These guys worked through the weekend, I know the security product teams did, to put this together and also provide solutions. So thanks for doing that. As you can see, we have the best experts in the business.
The last thing from us is we'll gather all the questions—we couldn't get to even a portion of them—we'll gather all the questions, put them in a blog post, and have the panelists respond to them, so you can see every question that was asked and the answer to it. Everybody, thanks for your time today. We'll get the recording of this session out, as well. Simon, Chris, Mathew, Phil, thanks for your time, and thank you sincerely everyone for joining us from all around the world. We appreciate your time, and our goal is to help you fix these problems and prevent them.