WannaCry: Darktrace’s response to the global ransomware campaign

Andrew Tsonchev, Director of Cyber Analysis | Wednesday May 17, 2017

Over 200,000 organisations and private individuals were victims of Friday’s global cyber-attack. This number is likely to increase over the coming weeks, as copy-cat criminals develop variants of the same ransomware and new methods of delivering similar attacks.

Some background on the WannaCry campaign

The WannaCry outbreak does not appear to have targeted specific countries or industries. Instead, it targeted outdated computer systems, using exploit kits leaked earlier this year to infect devices and drop the initial ransomware file. Once inside a network, WannaCry will attempt to locate other vulnerable computers by conducting internal and external SMB scanning. Having established itself, the malware encrypts files and demands a ransom of around $300 to unlock them, payable in Bitcoin. However, dealing with criminals means that there is no guarantee of the files being released if that money is paid out. Strong security measures and effective response mechanisms are the only reliable ways in which to prevent extensive damage.

Leveraging Darktrace, these kind of infections are not hard to detect: WannaCry and other ransomware cause highly anomalous behavioural patterns that our machine-learning technology is ideally placed to recognise.

To demonstrate, let’s take a walk-through of how Darktrace was able to detect the WannaCry attack on a client. Note that device names have been obfuscated for security purposes.

  1. Following the initial compromise, Darktrace detected unusual activity originating from an infected device, as it scanned the network in an attempt to locate other devices open to SMB connections:

    Example of an internal scan.

    The worm was scanning the network to locate devices with the DoublePulsar backdoor already present, through which the WannaCry ransomware can be dropped. If this backdoor was not found to be present, the worm used an exploit known as EternalBlue to infect the device, installing both WannaCry and the DoublePulsar backdoor.

  2. This installation of the worm on vulnerable devices allowed it to continue to spread laterally inside the network.
  3. Simultaneously, infected devices scanned random external IPs on port 445 (SMB), to continue spreading the worm to other devices on the internet:

    Internal devices scanning external destinations.

  4. As soon as infected devices started scanning both inside and outside network, Darktrace detected these activities as serious deviations in the devices’ usual pattern of life:

    External and internal connections by one of the network devices 48 hours either side of the WannaCry campaign. Every orange dot represents a model breach.

  5. For many of these devices, the deviation from typical pattern of life was such that it took Darktrace one second to detect anomalous behaviour:

    As this unusual activity persisted in the network, the confidence of Darktrace’s machine learning increased and attributed higher scores to these anomalous events:

  6. These high scores caused Darktrace models to breach in real time, alerting the customer to the severity of the unusual connections occurring inside their network:

In these recent cyber-attacks, the level of disruption was attributed to the speed with which this infection was able to spread like wildfire through networks. Unlike more common forms of malware, which rely on human-mediated methods such as phishing to co-opt people into triggering the payload, this type of attack uses a worm to move from machine to machine without human intervention. Fortunately, it is precisely this – a dramatic change in internal activity – which has allowed us to effectively fight back.

Darktrace Antigena acts automatically to neutralise in-progress attacks, taking targeted action against deviations in the expected ‘pattern of life’. This allows organisations to react before humans have even become aware of a breach. So it follows that the extent of deviation produced by an attack is fundamentally linked to the ability of a self-aware network to protect itself.

The potential gravity of this situation has proven that infections travelling at machine speed require an equivalent response time – only possible with machine-learning technology – in order to stop and contain future threats.

Blog Archive

Thursday January 10, 2019
Monday December 3, 2018
Thursday November 22, 2018
Thursday October 25, 2018
Thursday October 4, 2018
Monday August 20, 2018
Monday July 16, 2018
Friday June 22, 2018
Wednesday May 9, 2018
Monday April 16, 2018
Wednesday March 7, 2018
Tuesday February 13, 2018
Friday February 2, 2018
Monday January 22, 2018
Friday December 8, 2017
Monday November 27, 2017
Monday October 30, 2017
Wednesday October 25, 2017
Thursday October 12, 2017
Monday October 2, 2017
Monday September 18, 2017
Monday July 31, 2017
Thursday June 29, 2017
Wednesday June 21, 2017
Wednesday May 17, 2017
Monday May 8, 2017
Wednesday April 5, 2017
Monday March 6, 2017
Monday February 13, 2017
Monday January 30, 2017
Monday January 9, 2017
Friday December 16, 2016
Monday December 5, 2016
Friday November 18, 2016
Friday November 4, 2016
Monday October 24, 2016

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. He has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. He was most recently featured on BBC World, BBC Morning and Al Jazeera to comment on the news regarding the GRU.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.