By Prabhat Pokharel, Roshan Pokhrel & Cintia Szabó, May 16, 2017
After our blog post on Sunday regarding the WannaCry malware breakout, LogPoint today is excited to announce our turn-key application to detect and respond to WannaCry.
The application works on LogPoint and LogPoint Free, works for all types of devices (firewalls, content security appliances, file-shares etc) and provides a simple effective tool to monitor and contain any further spread of the malware.
In addition, as research moves forward with different samples of the WannaCry, we can provide easy and fast updates to the application. For more information about the application and the way forward, have a look at our WannaCry/Ransomware page.
The technical details of the application are covered below:
source_address IN HOMENET destination_port= 445 | chart distinct_count(destination_address) as DC by source_address | search DC>200
This is the case where the hosts in your infrastructure are already compromised and the malware is in the process of spreading. The first measure you should take is to apply the Microsoft security patches and disabling SMBv1 services (Guide here).
norm_id=IntegrityScanner new_file IN WANNACRY_EXTENSION | chart count() by file_path, new_file order by count() desc
You can configure LogPoint agent to monitor the integrity of your critical documents and then, if any of the host in your infrastructure show an evidence of change in the file formats, particularly to WCRY or similar, you might need to start looking for a quick response.
col_type=qualys* qualys_id IN [91345, 91357, 91359, 91360, 70077, 91360, 91345] | chart count() by source_address, title order by count() desc
If the vulnerability MS17-010 - Critical for SMB exists in the Windows systems, apply the following patch (here)
norm_id=* url IN WANNACRY_DOMAIN or domain IN WANNACRY_DOMAIN | chart count() by source_address order by count() desc
You can see connection to a kill switch, which seems to speed down the infection rate. You can update the WANNACRY_DOMAIN list if a new sinkhole is observed. Nevertheless, this does not mean that the attack has stopped, but the latest update on the ransomware seems to have left out the kill switch. If any connection variants from the infected hosts are identified, the list can be updated to checkout for such activity.
With LogPoint, you will discover a full enterprise SIEM solution.
LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.
And the best part..? We have the most predictable licensing model in the industry.