View on-demand webinar: http://bit.ly/2qoNQ8v What you need to know and how to protect against the WannaCry Ransomware Attack, the largest coordinated cyberattack of its kind. WannaCry has already crippled critical infrastructure and multiple hospitals and telecommunications organizations, infecting 100s of thousands of endpoints in over 100 countries. In this on-demand webinar, we discuss the anatomy of this unprecedented attack and IBM Researchers share expert insights into what you can do now to protect your organization from this attack and the next one.

1. WannaCry Ransomware
WHAT TO DO NOW
Diana Kelley
May 16, 2017
Executive Security Advisor
IBM Security
Kevin Albano Jim Brennan
X-Force IRIS Global Lead for Threat Intelligence
IBM Security
Director of Strategy and Offering Management
IBM Security

2. 2 IBM Security
Overview
• What is WannaCry?
• The anatomy of the attack
• How to protect my
organization NOW
• Back to basics
• Best practices
• Next steps

3. 3 IBM Security
What is the WannaCry ransomware attack?
• Began on May 12 but leverages
previously known exploits
• Infiltrates endpoints and encrypts
all the files, demanding a ransom
payment $300 USD in bitcoin
• Exploits a known Windows
vulnerability that enables remote
code execution
̶ Microsoft Windows patch was
available in March; those who didn’t
address this patch are vulnerable
• Crippled at least 100K
organizations across multiple
industries in over 150 countries
• 200K+ infected endpoints

4. 4 IBM Security
What makes WannaCry so sophisticated?
• The malware uses highly potent
NSA exploits that were allegedly leaked
by “ShadowBrokers” in April 2017
• Exploits a flaw in the Server Message Block
(SMB) that enables it’s worm-like propagation
• Uses strong, asymmetric encryption,
employing the RSA 2048-bit cipher
to encrypt files
• Uses a modular architecture which is used in
legitimate software and in complex malware
projects like banking trojans

5. 5 IBM Security
WannaCry: The Anatomy of the Attack
• Crippled at least 100K organizations across multiple industries
in over 150 countries
• 200K+ infected endpoints
• $60,000 paid so far but will rise and paying ransom is not recommended
• Ransomware slowed down by the accidental discovery of a killswitch
• However new variants have emerged with no killswitch or different domains
LATEST INTEL
ROOT CAUSE
FIRST STAGE
EXECUTED PROPOGATION STEP 11 2 3 PROPOGATION STEP 24
invokes SMB protocol
for port scanning
Attempts ‘DoublePulsar’
backdoor to send WCry to
target endpoint , propogates
‘EternalBlue’ scans servers for
DoublePulsar’; If not found,
delivers Wcry and propagates
DROPS TOR CLIENT
INITIATES ENCRYPTION RANSOWARE NOTICE6 7
Launches Tor client
on infected endpoint,
anonymizing communications
Encrypts 160 file extensions
and deletes shadow copies
5
Displays ransomware
message with instructions
to decrypt
?

6. 6 IBM Security
How can I protect my organization now?
Scan for DOUBLEPULSAR during cleanup and confirm anti-virus
signatures are up to date
Reduce your attack surface by ensuring that all Windows
systems are patched (MS17-010)
Block SMB ports (particularly ports 139 and 445) from external hosts;
Block UDP ports 137 and 138 from the local network to the WAN
Disable SMBv1 and SMBv2 and only permit SMBv3
connections by policy on clients
Back-up critical data on a regular basis
1
2
3
4
5

7. 7 IBM Security
PATCH
Apply critical vulnerability
patches to reduce
attack surface
BLOCK
Protect
networks from
advanced threats
and malware
MONITOR
Leverage deep security
analytics to correlate
disparate data, detect
emerging threats
RESPOND
Orchestrate
an incident
response plan
Security best practices

8. 8 IBM Security
Fragmented defenses, slow to respond
Insufficient
Visibility
Sporadic
Endpoint Hygiene
Silos of Teams
and Tools
Patching 101: Where endpoint tools are challenged PATCH

9. 9 IBM Security
Ensure ability to discover and report on all endpoints (including
unmanaged ones) regardless of location and bandwidth
Automate patch deployment to impacted endpoints wherever
possible
Utilize closed-loop verification to ensure patch success
Apply critical vulnerability patches enterprise wide to
reduce attack surface
1
2
3
PATCH
Enable a state of continuous policy enforcement across
endpoints to reduce attack surface4

10. 10 IBM Security
Deploy network protection devices in-line
Ensure you have IP reputation and URL filtering feeds to
enable automatic blocking of malicious site access
Ensure network protection signatures, firmware are up-to-date
Block malware and advanced threats from entering into
your network
1
2
3
BLOCK

11. 11 IBM Security
Detect emerging threats by leveraging deep security
analytics
MONITOR
Get a common, correlated view with prioritization of security
analytics relevant logs, network traffic flows and user behavior
Deploy network security devices to detect malicious software
and exploit activity in real-time
Use cloud-based malware analysis service with automatic send/
receive capability for rapid for threat identification
1
2
3
Leverage cognitive to go beyond structured data limitation and
incorporate the latest global research insights on active threats4

12. 12 IBM Security
Get help from highly skilled experts with incident management
and security intelligence experience to help you during a crisis
Preparation is paramount; Develop an incident response plan
and test it to align people, processes and technology
Ensures IR processes are consistent, proven, easy to refine,
and compliant
Identify, detect, contain and remediate threats before they
spread and cause more damage
Transform incident response to align people, process,
and technology
Enable decisive action through complete IR orchestration
and automation
RESPOND
1
2
3
4
5

13. 13 IBM Security
PATCH
Apply critical vulnerability
patches to reduce
attack surface (BigFix)
BLOCK
Protect
networks from
advanced threats
and malware
IBM Security is here to help
• QRadar w/ Watson
• X-Force Exchange
• X-Force Malware
Analysis
• QRadar Network
Security (XGS)
• BigFix
• Resilient
• BigFix
• X-Force IRIS
MONITOR
Leverage deep security
analytics to correlate disparate
data, detect emerging threats
IBM Managed
Security Services
RESPOND
Orchestrate
an incident
response plan

14. 14 IBM Security
Next steps
• Follow the updates on X-Force Exchange
• Refer to X-Force Ransomware Response Guide to evaluate organizational readiness
• Learn more about protecting your organization: sign up for our webinar series to learn
more about monitoring, patching, blocking & responding
For immediate help, call the IBM X-Force Incident Response Hotline
USA +1-888-241-9812
Global +1-312-212-8034

15. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU