WannaCry and BlueDoom deterred by a layered approach to cyber defence

Hundreds of thousands of organisations were compromised in over 150 countries, locking users out of their PCs, and even causing NHS operations and patient appointments to be cancelled.

WannaCry may be winding down, but right on its heels comes a more persistent worm called BlueDoom, which looks even more threatening. The BlueDoom exploit appears to have weaponised all the exploits in EternalBlue and poses a big risk as a launch pad for future attacks.

>See also: NHS Trust successfully fought back WannaCry ransomware with AI

This worm has very strong persistence capabilities and would be very difficult to remove from a Windows-based OS without reimaging the system.

So, what is known about it?

If nothing else, this global ransomware epidemic should raise awareness amongst organisations of the value of defence-in-depth security – because no single security control is going to keep your systems safe in the current threat landscape.

A brief history of WannaCry

What do we know about the attack itself? Well, one possible entry point was via phishing emails designed to trick the user into clicking through and starting a malware download. The ransomware would then fly into action immediately and encrypt every file in a targeted organisation, charging $3-600 for the decryption key.

Experts also know it spread worm-like inside the organisation and out to the wider internet by using the NSA’s EternalBlue exploit released recently by the Shadow Brokers. This targets CVE-2017-0145, a Windows vulnerability which allows remote attackers to execute arbitrary code via crafted packets to an SMBv1 server.

>See also: WannaCry showed that firms need a stronger line of cyber defence

Microsoft released a patch for this in March (MS17-010) and then pushed out an emergency patch for unsupported versions including XP, Vista, Windows 8, and Server 2003 and 2008 Editions on 13 May.

It is also clear that there was a so-called “kill switch” built into the original WannaCry code, which helped provide a temporary defence for organisations looking urgently to patch against the threat.

However, on 15 May, just three days after the ransomware first made its appearance, Ivanti spotted a new strand, dubbed UIWIX, which had removed this functionality. WannaCry infections are now virtually at zero, but new variants such as BlueDoom will continue to cause organisations problems as there’s effectively no way to turn them off.

Scores of NHS Trusts, and organisations as diverse as FedEx, Telefonica and the Russian Interior Ministry were reported to have been hit by the blitz. WannaCry did not discriminate, and caused damaging service outages wherever it went. The costs in lost productivity, damaged reputation, remediation and clean-up could be immense.

>See also: Ransomware: the new highway robbery

Time for a layered defence

Many organisations were caught out by this attack, despite a patch being available since March for supported operating systems. So, what’s the problem? Unfortunately, the SMB update itself caused significant changes to this key communication protocol.

IT admins know that these kinds of changes can cause third party software to misbehave, meaning many delay roll-out while they test. That may have vitally delayed the implementation of patches.

Combined with some organisations running unsupported OS versions, it created the perfect conditions for global mayhem.

The question now is, what can we do to secure systems and prevent this kind of thing happening in the future? Defence-in-depth must be a priority, so that no single security control can be a point of failure.

>See also: North Korea linked to global ransomware cyber attack

Traditional AV is great for preventing many threats, for example, but with WannaCry it took several days until the AV vendors could consistently detect and block the rapidly spreading ransomware.

New variants like BlueDoom take time to detect properly, resulting in many machines being infected globally before AV alone can be an effective measure to prevent infection.

This makes patching your number one priority, simply because it reduces your attack surface. Would you rather defend against 1,000 vulnerabilities or 10? Patching can help move your organisation towards the latter scenario.

As mentioned, this is not always achievable immediately, but we reckon your “time to patch” goal should be around two weeks from the date of the vendor’s security update. It must be said, though, that at this point with WannaCry, IT teams should be applying a patch to plug that hole immediately and work on fixing any broken apps later, rather than run the risk of a major ransomware infection.

>See also: Get out your wallet: when to pay the ransom

After patching should come application control – including whitelisting, memory injection protection, and privilege management – to help mitigate the threat from as-yet-unknown vulnerabilities.

Some argue that whitelisting is cumbersome and can cause disruption to users, but there are more dynamic, “just in time” approaches available that provide adequate security without major drawbacks.

There are other layers to your cybersecurity defences to consider. User education is vital to preventing those initial – potentially malware-laden – phishing emails, while regular back-ups will mitigate the risk of data loss in the event of a ransomware blitz.

Correctly configuring Windows firewalls could also help to halt the spread of ransomware within the organisation. However, patching and application control should be first on the list for all organisations looking to rebuild their defences following this incident.

>See also: The global ransomware attack a cyber wake-up call

The truth is that WannaCry was a long overdue wake-up call for many organisations. Attacks like this – albeit on a smaller scale and without the added spice of nation state exploits – have been happening for years, and more is yet to come.

The most important takeaway from this series of cyber attacks is that cyber security is an ongoing effort. Business leaders and their security teams need to get more proactive by building layered defences to keep the bad guys like BlueDoom and WannaCry out, and that starts with preventative controls like patching.


Sourced by Simon Townsend, chief technologist EMEA at Ivanti


The UK’s largest conference for tech leadership, Tech Leaders Summit, returns in September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...