March 26, 2017
Following analysis of the WannaCry ransomware attack, Zscaler determined that the initial delivery vector was not over HTTP/HTTPS, in this case. Still, multiple steps were taken to block payloads, avoiding post-infection activity for this Ransomware strain as it morphs.
How Zscaler can help with preventative measures
Firstly, make sure you have followed our guidance to protect yourself from the WannaCry ransomware »
The initial variants were configured with a killswitch domain (If the connection to this domain is successful then the malware will terminate.) We are already seeing newer payloads without any killswitch domain.
Zscaler added multiple signatures and indicators for blocking the original payloads as well as post-infection activity shortly after the attack to help any organisations affected by this campaign in their remediation efforts.
Advanced Threat Signatures:
Win32_Ransom_WannaCrypt0r
Win32_Ransomware_WannaCry
Win32.Ransom.WannaCry
In-line AV signatures:
W32/Trojan.XLPA-1871
W32/Trojan.VYDA-0103
W32/Ransom.ZTSA-8671
W32/Trojan.UXKN-7334
W32/Trojan.FSSE-8992
W32/Trojan.AHAZ-1193
W32/Trojan.TSYV-5087
W32/Trojan.FXSJ-2552
W32/Trojan.AHAZ-1193
Zscaler Cloud Sandbox provides the best line of defence in a proactive manner against these evolving ransomware strains, successfully detecting the WannaCry ransomware payloads. Here is a sample Cloud Sandbox report from one such detonation:
What is Zscaler Cloud Sandbox?
Zscaler Cloud Sandbox sits in between users and the Internet, wherever they are, analysing unknown files for malicious behaviour. Delivery from the cloud means all users, regardless of location, get protection without VPNs, or Data Centre backhaul links. Integrated in Zscaler’s Cloud Security Platform, you get a full security stack from day one. There’s no hardware to buy; no software to upgrade – just point your traffic to Zscaler. Simple.
SSL inspection. Over 60% of Internet traffic is over SSL and most advanced threats hide in SSL. Zscaler Cloud Security Platform provides native SSL inspection.
Cloud Firewall. Enforcing policies to block outbound SMB traffic on ports 139 and 445 can be done in a single console and applied immediately across all locations with Zscaler’s Cloud Firewall.