by / Saturday, 20 May 2017 / Published in Arit News


What we know so far

A major ransomware attack broke on Friday May 12, affecting many organizations the world over, reportedly including major telcos, hospital systems and transportation providers.  The attack has purportedly spread to some 150 countries around the world. This is the first ransomware worm to ever be seen in the wild. The malware responsible for this attack is a ransomware variant known as ‘WannaCry’.

 WannaCry gets installed through a vulnerability in the Microsoft SMB protocol, not phishing or malvertising.  SMB is a network protocol used to share files between computers. The reason WannaCry is particularly effective is that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement.  The malware is particularly effective in environments with Windows XP machines, as it can scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.

 On March 14, Microsoft released a security update to patch this vulnerability. While this protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally. This is particularly true of Win XP computers which are no longer supported by Microsoft, as well as the millions of computers globally running pirated software, which are (obviously) not automatically upgraded.

For more information on the Wannacry Malware visit http://blog.talosintelligence.com/2017/05/wannacry.html.


Ransomware Overview

Ransomware uses traditional malware attack vectors such as phishing emails and exploit kits to deliver the ransomware to a desktop. Once established, it takes over systems and stored data, encrypting their contents, denying access, and holding them hostage until a ransom is paid. Ransomware uses well-established public/private key cryptography, so that the only way to recover the files is to either pay of the ransom or restore files from backups. Typically, if the ransom demand is paid, the attacker often, but not always, provides the decryption keys to restore access.

Ransomware is the most profitable type of malware in history. In the past, malware typically did not deny access to systems or destroy data. Attackers primarily tried to steal information and maintain long-term access to the systems and resources of their victims. Ransomware has changed the game from stealthy undetected access to extortion.

Every single business or person who pays to recover their files, makes this payment directly to the attackers. The relatively new emergence of anonymous currencies such as Bitcoin and other forms of crypto currency gives attackers an easy way to profit with relatively low risk, making ransomware highly lucrative and funding the development of the next generation of ransomware.

As a result, ransomware is evolving at an alarming rate, as shown in the Figure below. It is projected that future versions will propagate like worms, spreading throughout an organization in a coordinated manner and aggregating the ransom demand.


The denial of access to these critical resources can be catastrophic to businesses:

  • Healthcare—Hospitals might lose the ability to provide patients with real-time care (admittance, surgeries, medications, and so on.)
  • Public safety—Responders might not being able to respond to 911 or emergency calls
  • Financial—Banking systems might go offline for trading or banking activities
  • Retail—The inability to process payments so that customers are not able to make purchases

Ransomware Infection Process

 infection process

  1. Ransomware is commonly delivered through mass phishing campaigns, malvertising, or targeted exploit kits.
  2. After delivery, ransomware takes control of your system and may try to communicate back to its command and control infrastructure to create and transmit the public/private keys used to encrypt the files.
  3. After the ransomware has the necessary keys, it identifies specific file types and directories to encrypt and avoids many system and program directories, ensuring stability for delivery of the ransom after it finishes running.
  4. After encryption completes, a notification is left for the user with instructions on how to pay the ransom.

We can help protect your business from the ransomware threat using  Cisco’s defense-in-depth architecture, protecting your users both inside and outside the network.

The Ransomware Defense Solution creates a defense-in-depth architecture with Cisco Security best practices, products, and services to prevent, detect, and respond to ransomware attacks.

Cisco’s Ransomware Defense Solution is not a silver bullet or a guarantee, but it does help to:

  • Prevent ransomware from getting into the enterprise wherever possible
  • Stop it at the system level before it gains command and control
  • Detect when it is present in the network
  • Work to contain it from expanding to additional systems and network areas
  • Perform incident response to fix the vulnerabilities and areas that were attacked


At  Arit of Africa we believe a defense-in-depth strategy is always the best approach to information security.

Because this is a  Microsoft Windows vulnerability with a potential for rapid network hijack , we recoomend implementing the following best-pratice procedures:

  1. Ensure that devices running Windows are fully patched. In particular, apply the following: Microsoft Security Bulletin MS17-010
  2. Strongly consider blocking legacy protocols like SMBv1 inside the network. Additionally, consider blocking all SMB connections (TCP ports 139, 445) from externally accessible hosts

To be clear, if these vulnerabilities aren’t patched, an organization will continue to be at risk for infection by this ransomware. However, the following Cisco Security products can limit the installation, spread, and execution of WannaCry:


  •  Cisco Network Security (NGFW, NGIPS, Meraki MX) products have had up-to-date rules (since the vulnerability was known in mid-April) to detect and block this malicious activity on SMB connections.
  • Cisco Malware Protection technology (AMP on endpoints, network, and email/web gateways) have up-to-date information on this ransomware and in fact quickly detected and prevented the execution of this ransomware.
  • Cisco Cloud Security (Umbrella) can block connections from malware to command-and-control servers on the internet which results in improper execution of the malware. In this situation, this block automatically triggered a “kill switch” in the malware.
  • Also there is likely to be variants of WannaCry in the coming days and weeks. While the current variant will be added to anti-virus signatures, the new variants have the best chance of being detected by the modern behavioral techniques in Cisco AMP.
  • Cisco Identity Services Engine (ISE) which checks the corporate devices for the installation of the right patches to prevent the attack on enterprise PCs before gaining access to the Network
  • Cisco Rapid Threat containment solution which isolates an infected system in the event of compromise.
  • Cisco Ransomware solutions.

 Find below an overview on the above mentioned solutions.








You can reach out to us for more information about each solution and which best suits your Enterprise. Our technical experts will sit with you and analyze your entire network security strategy in-depth and come up with recommendations on how to  prevent and mitigate more of these type of attacks.

More Resources

Cisco Rapid Threat Containment FAQ Cisco Rapid Threat Containment Solution Overview Cisco Rapid Threat Containment Cisco-Umbrella-at-a-glance Ransomware-Defense-for-Dummies Rapid Threat Containment Data Sheet

Leave a Reply

ChatClick here to chat!+