By now you’ve most likely heard about the WannaCry (a.k.a. WannaCrypt) ransomware that began wreaking havoc in parts of the world this past Friday (May 12, 2017). Given Nominum’s broad, deep view into DNS data from our service provider customers around the world, we were able to gather insights into how WannaCry made its way onto subscriber networks around the globe (see the WannaCry: views from the DNS frontline in our Data Science blog for more thoughts). Reports show that the latest ransomware attack has infected more than 230,000 computers in over 150 countries.1 For now we are seeing the outbreak slow down, but some expect this is just the first of more similar attacks to come.2
It’s been reported that this particular event made its rounds through phishing emails containing malicious attachments and links to malicious sites that were sent to unsuspecting users. The malware exploited a recently discovered vulnerability in Windows Remote Desktop Protocol (RDP), a program that allows users to remotely operate a computer in a different location. While a patch for the vulnerability was issued by Microsoft in March 2017, many individuals had not yet downloaded the patch onto their machines, making them an easy target for the ransomware attack.
Once the user clicked to open the attachment or on the link, the ransomware was installed on their device and its files locked. Once a device on a corporate network was infected with the WannaCry ransomware, every other connected device which had also not downloaded the Windows RDP patch was at risk.
WannaCry used TOR for its Command & Control (C&C) communications, which means it bypassed DNS servers. While we weren’t able to see a high volume of activity in our DNS data analysis, we did, however, see activities with regard to a “kill switch domain,” which refers to a domain used by cybercriminals to determine if a particular instance of an attack was detected by a sandbox. From these kill switch domain queries we were able to see some patterns in the data, as detailed in our Data Science blog post: WannaCry: views from the DNS frontline.
How does Nominum Protect Against Ransomware?
Service providers that are using Nominum N2 ThreatAvert to protect their networks were able to identify the actual devices and subscribers that were exposed to the WannaCry attack. N2 ThreatAvert is ideal for discovering device infections and blocking C&C communications, so as to protect the network from attacks like DDoS and DNS Amplification, PRSD (Pseudo Random Sub Domain), DNS Tunneling and DNS Toll Fraud. Nominum N2 Secure Consumer offers an added layer of protection by proactively protecting users and their devices from attacks like phishing, ransomware and other malware. For most service providers, using both solutions in combination is the best ‘defense in depth’ approach to protecting network assets and subscribers, making it nearly impossible for an attack such as WannaCry to have the wide-scale impact that it successfully pulled off.
Our cybersecurity team is working around the clock to analyze more than 100 billion DNS queries a day. The combination of that analysis with machine learning and our proprietary algorithms demonstrates our commitment keep ISP networks, their subscribers and connected devices protected and secure from damaging attacks like WannaCry. If predictions are true and there are more attacks of this nature ahead, our customers will be prepared and stand a strong chance of emerging unscathed.
Click here to access our latest Data Science Security Report (April 2017) and read more about how our N2 ThreatAvert and N2 Secure Consumer products, combined with our in-depth cybersecurity research, offer service providers a defense in depth approach that delivers a high level of protection against today’s most dangerous threats.