At the first signs of what was to become a global ransomware attack on May 12, the endpoint detection and response (EDR) team at Tanium sprang into action to help our customers. Here, we provide guidance on how to use Tanium to quickly discover and mitigate the issues.
Corporations worldwide are being affected by a widespread ransomware attack which rapidly propagated and reached critical mass on May 12. The scope of the attack initially involved more than a dozen healthcare organizations in Europe, as reported by the U.K.’s National Health Service. As the day unfolded, however, it became clear the attack is, in fact, global. By May 15, the attack had spread to 150 countries and approximately 200,000 machines.
Initial indications point to a new variant of the “WannaCry” strain of ransomware, also known as “wcry” (and alternatively spelled WanaCry by some media outlets). The following summary provides guidance on using Tanium to mitigate and respond to this malware.
One of the infection and propagation vectors associated with this family of malware leverages a vulnerability in Microsoft SMBv1, documented in MS17-010, published on March 14, 2017. Tanium customers with Patch can verify their Microsoft-supported endpoints are protected from this issue. If any endpoints are not protected, customers can rapidly deploy Microsoft’s fix using Tanium’s efficient architecture.
Tanium customers with Patch can easily find vulnerable systems using the simple questions below. (Note: To view the complete syntax, use the scroll bar in the text boxes below.)
Patch 1.x and Windows Security Patch Customers: Get Available Patches matching "(.*4012598.*|.*4012212.*|.*4012215.*|.*4012213.*|.*4012216.*|.*4012214.*|.*4012217.*|.*4012606.*|.*4013198.*|.*4013429.*)" from all machines Patch 2.x Customers: Get Applicable Patches matching "(.*4012598.*|.*4012212.*|.*4012215.*|.*4012213.*|.*4012216.*|.*4012214.*|.*4012217.*|.*4012606.*|.*4013198.*|.*4013429.*)" from all machines
However, many organizations that have been unable to patch, or were infected through other vectors, may need to pursue other mitigation strategies.
In addition to the patch for this vulnerability, Microsoft also provides mitigation guidance which includes disabling the SMBv1 protocol. SMBv1 is a legacy protocol which has been subject to a wide range of vulnerabilities and exploits. Disabling it can reduce attack surface beyond this specific malware outbreak. Microsoft has set up a web page to provide specific guidance on disabling SMBv1. In summary, this requires changing the following registry key and value key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value: SMB1 Data: REG_DWORD: 0 = Disabled
After doing so, systems must be rebooted for this change to take effect.
As Microsoft notes, SMB is more than 30 years old but may still be utilized in environments with Windows XP / 2003 or certain legacy applications or devices. Unfortunately, versions of Windows prior to 10 / Server 2016 provide no easy mechanism to audit for the usage of this protocol version.
Tanium users can deploy actions to disable SMBv1 via a registry change, and to subsequently reboot systems. Customers are encouraged to work with their Technical Account Managers for assistance with action targeting and managing an enterprise-wide change of this scale.
Here are the steps you need to follow:
(1) Deploy package “Registry – Set Value” to targeted systems, using the registry key/value/data cited above as parameters:
To assess whether systems already have SMBv1 disabled, or to verify and monitor deployment of the corrective action as it happens, the following sensor can be used:
Registry Value Data[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, SMB1]
(2) Once the registry change has been made, deploy package “Reboot Windows Machine” as shown below. You can use “Distribute Over Time” and the “Random Reboot Delay” options to reduce action concurrency if targeting a large number of hosts.
Many ransomware variants and other forms of self-propagating malware utilize open network shares with insecure permissions to spread themselves. The Tanium sensor Open Share Details can help identify unwanted or susceptible shares. However, note that share permissions have no affect on the aforementioned SMBv1 exploit.
Tanium users with the Incident Response and Trace modules can run ad-hoc queries for artifacts of this most recent variant of the “Wcry” ransomware in the following ways:
Search historical file operations for files that have been renamed to include the extensions “.wncry” or “.wcry”, using the Trace File Operations sensor (requires that Tanium Trace be deployed). Additional details:
(Editor’s Note: This blog post was updated on May 15 at 3:00 pm PT to reflect new information about the spread of the attack and to correct syntax on the questions recommended for customers of Tanium Patch.)
Get our latest software updates and support announcements:
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.