This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Blocking WannaCry with Netwitness Endpoint

MichaelGotham
Beginner
Beginner
‎2017-05-15 01:35 PM

On Friday, May 12th 2017, one of the largest ransomware attacks in history was launched using WannaCry infecting more than 230,000 computers in 150 countries in a matter of days.  Attackers are demanding ransom payments using Bitcoin, with amounts increasing as time goes on. The attack has been described by international organizations like Europol as unprecedented in scale.

 

When executed, the malware first checks for a specifically generated kill switch domain . If it is not found, then the ransomware will begin to encrypt data on the computer.  WannaCry has a second stage that attempts to exploit the SMB vulnerability MS17-010 to spread out to random computers on the Internet, and laterally to computers within an organization.

 

RSA Netwitness Endpoint can not only help detect this activity (https://community.rsa.com/community/products/netwitness/blog/2017/05/14/wannacry-from-the-rsa-netwitness-suites-perspective ), but also proactively block it to stop the spread and reduce further damage from infection.

 

****DISCLAIMER****

Customers should take caution when blocking files with Netwitness Endpoint.  Netwitness Endpoint will not block files signed by Microsoft or the RSA Netwitness Endpoint (ECAT) driver.  However any other SHA256 hashes entered via blacklisting in the GUI with the blocking option enabled or directly into the NWE database will be blocked.  Netwitness Endpoint has safeguards in place, including prevention of blocking if a module is present on more than "x" number of systems.  This is configurable.  Also blocking must be enabled at the group level and globally.  Machines by default will inherent this setting from their group, but can also be enabled or disabled at the individual machine.

 

Blocking_Global_Parameters.jpg

Blocking 1.jpg

Blocking.jpg

The attached SQL query can be run to block 241 different variants of WannaCry.  Additional SHA256 hashes can be added to the block list by following the same format in the SQL query.  It needs to be run in SQL Server Management Studio against the NWE database (By default this is named ECAT$PRIMARY).

 

SSMS_Query.jpg

 

After this is completed make sure to select Tools->Force Blocking Status Update to push the changes to the NWE agents.  

 

Force_Blocking_Status_Update.jpg

 

You can verify this is successful by checking the "BlockingHashes" table on the NWE database as well as the agents in c:\Program Data\ecatservice

 

Confirm_Hash_DB.jpg

wannacry_SHA256_NWE_Block.sql.zip
wannacry_SHA256_NWE_Block.sql.zip
© 2022 RSA Security LLC or its affiliates. All rights reserved.