integraONE logo

Recent Blog


6/19/2017

NEW June Blog: Fortinet Offers Blanket Protection Against WannaCry

Brad Rudisail, MCITP, MCSE, Virtualization Administrator, Network Engineer

 

The armed resistance that the minutemen showed the British troops at the North Bridge in Concord, Massachusetts in 1775 is forever paraphrased in history as the “shot heard around the world.”  The global ransomware attack on May 12, 2017 is quickly becoming the interruption of digital services and operations heard around the world.  As a result of that day, few people in the IT industry are not aware of the WannaCry ransomware strain.  Despite the fact that ransomware generated $1 billion of income in 2016, many enterprises were still looking at ransomware as a nefarious menace that would not happen to them.  That all changed on that fateful Friday.  Few people are dismissing the ransomware threat now as IT teams scramble to learn as much as they can about this malicious disruptor.

Ransomware is traditionally encountered in some haphazard occurrence such as a user clicking an embedded email link that was arbitrarily sent to him or her.  In this case, however, WannaCry was driven by a replicating worm that was reportedly stolen from the National Security Agency (NSA) by a hacking organization that calls itself the Shadow Brokers.  This self-driven worm knew no bounds, and it seems that no industry was spared.  Some of the victims included:

  • Britain’s National Health Service that included the disruption of 48 hospitals who were forced to turn away patients and cancel operations.  In addition, 16 organizations connected with the NHS were affected
  • The Russian Interior Ministry reported 1,000 of its computers had been afflicted
  • Operations for major corporations such as Nissan, French automaker Renault and FedEx were hampered
  • Thousands of students were locked out of their theses and final papers at universities across Asia just days before graduation
  • Throughout Spain, key infrastructure structures were infected such as telecom, power and natural gas companies.   Other countries such as Germany who had rail operations disrupted also reported ransomware infections

Traditionally, ransomware is nearly delivered either through an email that includes an embedded link or attachment that the user is prodded to open or else the visitation of a drive-by website that has been infected by a hacker in order to serve as a launching center for the malware.  There are a number of ways to prevent ransomware from infecting your network.

  • First and foremost should be an email security filter such as the Barracuda Email Security Gateway.  Today’s email security solutions do more than simply filter common spam.  They also target and eradicate viruses, malware and links to malicious websites as well in order to prevent your users from opening and enabling them.

     

  • Next would be a web filtering solution in order to block sites that are known to deploy malware infestations. Fortigate next generation firewalls offer Fortiguard Web Filtering Service for their firewall appliances.  In this case, their engineers able to rapidly discern the website utilized by WannaCry within their labs.  As a result, customers received the update to block that website in quick fashion. 
  • What makes WannaCry so dangerous and able to spread so quickly is the fact that it is not dependent on human intervention because it is worm driven.  WannaCry specifically targets Microsoft Windows machines, seizing control of computer systems through a vulnerability in the Windows Server Message Block (SMB) file sharing protocol.  Worms are designed to probe networks to take advantage of a targeted exploit.  In this case, WannaCry probed port 445 which SMB utilizes.  Those with any of the Fortigate Firewalls protecting their perimeter could have prevented WannaCry from successfully probing their networks by ensuring this port was closed.

     

  • Sometimes, merely blocking URLs and ports is not enough, which is why every security minded enterprise should have an intrusion protection system (IPS) to analyze incoming traffic.  Again, IPS is available in Fortinet security appliances and once again, Fortinet issued a signature update shortly after the attack called

     

    MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution

     

    that ensured that those customers with an IPS subscription license would be protected if port 445 port was left unabated.

     

  • Antivirus is another tool in the arsenal to fight ransomware and Fortinet offers a one-two punch in this area.  Their Next Generation Firewalls offer an antivirus gateway solution to stop malware at the network perimeter.  This can then be backed up at the device level using Forticlient to ensure protection when your devices are outside the protection of the corporate network.

All of these security tools combine together to form a formidable defense to protect you from WannaCry and all other ransomware variants.  But even with all of these assets working for you, there is always the potential for a newly released malware attack to sneak through unabated.  This is why Fortinet created FortiSandbox.  It provides a safe isolated environment in which to execute and observe malicious code such as file/ disc operations, network connections, registry/system configuration changes, etc.

There are many ways to deal with WannaCry and ransomware in general, and Fortinet provides nearly everything you need in one package.  Yes, organizations throughout the world are in a frenzy over WannaCry, that is except those who use the Fortinet protection suite.  

Back to Top