It’s been a few weeks since WannaCry ransomware captured headlines and computers the world over. We now know how it spread, and how it captured so many Windows 7 machines.
The WannaCry (also known as WannaCryptor) attack was first reported on May 12 and spread to more than 230,000 computers in over 150 nations. Attackers used strong encryption to render captured computers useless without the correct unlock keys. Additionally, there are reports that victims could not decrypt their files even after paying the ransom.
WannaCry’s ransomware component of the payload works just like other ransomware; it searches for files with specified extensions and encrypts them. But its worm component is different, and it uses an Server Message Block (SMB) v1 vulnerability (CVE-2017-0144) to spread.
Microsoft released a security update (MS17-010) to fix this vulnerability on March 14, 2017. This March-to-May window demonstrates that even if OEM manufacturers respond in a timely manner to exploits, often, the weak link is the end user failing to apply the required patch.
At VMware, we believe there’s another way. If computers and networks are intelligently locked down, then end-user tardiness may be temporarily mitigated.
After the infection, the malware dropper code attempts to connect to the below URL using InternetOpenA() WinInet API and exits if the connection is successful. We therefore recommend that you allow this traffic through your filters in order to stop the malware activity.
Next, the dropper installs and starts a service named mssecsvc2.0, which in turn, drops the payload ‘C:WINDOWStasksche.exe’ and executes it. Prior to copying the payload, dropper renames the existing tasksche.exe.
The worm component scans all internal and external endpoints, and exploits the SMB v1 vulnerability to spread. The ransomware component searches files with specified extensions (Microsoft research shows 178 file types) and encrypts them.
According to Microsoft there are two highly likely scenarios used by WannaCry:
- SMB vulnerability
- Social engineering
It is not easy to exploit the SMB vulnerability from outside an organization because of the multiple layers of protection (firewalls, multi-tiered DMZ, etc.) commonly deployed. It’s often easier to trick a user into clicking and launching malware using social engineering and phishing techniques.
After this initial infection within the organization, it can then use the SMB vulnerability to spread inside. Our analysis shows that this initial attack vector, using social engineering, can be prevented by enforcing the principle of “least privilege.”
As part of infecting an endpoint, WannaCry performs the following actions:
- Drops a payload to the C:WINDOWS directory
- Creates / updates several HKLM keys including ‘Run’ key
- Creates a service
When a user inadvertently clicks on a malware attachment in an environment where they do not have local admin privileges or elevated permissions to system folders and the HKLM registry hive, the process does not have the ability to drop and execute its payload.
In other words, if computers and networks are intelligently locked down, then malware struggles to propagate. Although the SMB vulnerability vector does not require any user action, the social engineering vector does, and the principle of least privilege could potentially prevent infection. The United States Computer Emergency Readiness Team (US-CERT) mentions the principle of least privilege as one of their recommended steps for preventing attacks like this.
Removing Users’ Admin Rights
Part of the answer to attacks like WannaCry is to simply remove admin rights from end users. However, that’s not as straightforward as it may sound. There are a couple of reasons why enterprises continue to provide local admin access to user accounts:
- Legacy applications (vendor and in-house written) update files and sub-folders in system and program files directories instead of writing to user data folders. Some of them also update HKLM locations instead of HKCU.
- Users need to install applications.
Balancing Least Privilege & User Empowerment
Very few users are happy with a totally locked down PC. There’s often a case for a user patching software, or installing something that is outside of a corporation’s standard image in order to be more productive at their job.
What is needed is a smart management system, that allows for the flexible application of admin rights in a policy-controlled way. Many vendors offer such a system. VMware’s answer is VMware User Environment Manager. (Clearly, we believe our technology is better than that of our competitors, but for the sake of computers everywhere, please investigate deploying such a solution.)
It is precisely for handling the use cases mentioned above—whilst maintaining the principle of least privilege—that we recently announced the ability to configure privilege elevation for applications in our newest release of User Environment Manager 9.2. You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.
Additionally, if your internal network is completely open, we strongly encourage you to consider micro-segmentation to help arrest the spread of infections should your perimeter defenses prove insufficient.
VMware is committed to help IT secure interactions between users, applications and data, in an environment that is changing and becoming increasingly dynamic—from public and private multi-cloud environments to the proliferation of mobile devices. Read more about our approach to transforming security, or download a free trial of User Environment Manager and experience policy-controlled least privilege yourself.