WannaCry aftermatch
May 16th, 2017 by Jesper Kråkhede
Ransomware makes you wanna cry and the name of the latest outbreak is fitting. You have most probably read 100ths of post regarding how to protect yourself moving forward and I will not repeat those tips and tricks but instead focus on some real-life experiences that actually prevented the ransomware in the first place:
1. Office 365 with ATP
2. SentinelOne
3. Sogeti SOC with QRadar
Following up discussions with our partners and internal delivery we identified three independent ways to contain the outbreak.
Office 365 have an addon called ATP, Advanced Threat Protection. Already in the beginning of the outbreak the detonation chamber in ATP identified the ransomware behavior and blocked it. So all mails containing the ransomware was blocked if the client used ATP.
SentinelOne is a new type of threat protection that identifies ransomware behavior, blocks it, takes a signature and updates the central server that sends out this signature to all clients. But most importantly: it roles back the changes the ransomware did putting you files back in order as nothing had happened.
Our SOC reported quite early on suspect mails and QRadar was very quickly updated to block the malicious traffic effectively stopping the ransomware dead in its tracks.
Learning from this is the same things that security experts like me say over and over:
Upgrade and Update. They days when security threats were a simple and fun game for 15-year old kids are long gone. Today it´s organized crime and state hacking. By having low security and pay out ransom you have become an involuntary financer of crime and terrorism.