This article will explore eGambit features to fight against massive ransomware attacks WannaCrypt. The reader will discover how Cyber Robots & Artificial Intelligence engines might get stronger than malwares…
On May 12, 2017 before noon, the cybersecurity community discovered a massive spread of a new ransomware abusing a well know vulnerability against Microsoft Windows operating systems.
MS17-010 security issues, with a patch proposed on 14th March 2017.
Many computers were not protected against related threats as old Windows XP and many recent unpatched Windows as well (Production Infrastructures like SCADA stuff, Unmanaged PC…). Indeed, many infrastructures were not applying these needed principles : Containment & Detection.
This article will not focus on the attack itself, as many web sites already shared interesting information.
Instead, we will explain how enhanced mechanisms proposed in eGambit product had the power to detect and/or neutralize the threats automatically, worldwide without human actions.
This malware got multiple names such as Wcry, WanaCry, WanaCrypt, Wanna Decryptor, etc.
Multiple virus strains were observed (with or without the famous kill switch…)
According to our security experts at TEHTRIS, the malware WannaCrypt was poorly written, as the attackers decided to work with a “mass market” feeling.
Indeed, as explained by our stealth pentesters at TEHTRIS, it would have been more efficient for the attackers if they had built a file-less attack thanks to the EternalBlue exploit.
Hopefully, the attack was not that dangerous despite what was said in some newspapers. A far more horrible attack could have exist, destroying tons of computers worldwide (especially when exploits are known for months).
This is extremely interesting because eGambit is able to analyze and to fight against unknown programs when they appear on an infrastructure.
The full eGambit arsenal is able to automatically work against unknown threats.
Quick scenario example regarding a new threat (Ransomware, APT…) :
eGambit can automatically detect & fight new threats like WannaCrypt and the survival time is less than few minutes for the malware worldwide.
eGambit robots are able to automatically analyze new threats like humans would do, thanks to our powerful eGambit Forensics portal. This allows eGambit end-users to have a 24/7 protection with humans + robots & artificial intelligence.
Example: with the WannaCry Ransomware, here are the evidences of network traffic found :
Security experts quickly found out the binary code in order to connect to a specific web site :
(le lien ne fonctionne pas, nouveau lien actif ?)
This HTTP ping-like mechanism was a kind of kill-switch already included in the malware :
eGambit use honey token files such as fake Office Documents
Ransomwares are easily detected with this method
Execution of multiple commands easily found by the eGambit Sandboxing system (not stealth). Beyond the fact that TOR was detected, new startups keys were detected in the Registry.
Our eGambit Forensics portal and its related API, were able to detect WannaCrypt and to share the related IOC to all our robots worldwide in few minutes, without human interaction.
The powerful Sandboxing system was able to automatically identify these threats.
Beyond previous eGambit sensors, our Artificial Intelligence engine had to work on the malware.
The programs used by the WannaCrypt Ransomware (dropper, etc) were fully detected by the eGambit Artificial Intelligence engine with a strong confidence.
Recently, an independent testing company in China (SKD-Labs) credited eGambit Artificial Intelligence engine with 98.1% of detection. This engine has no signature (deep learning & neural networks).
Fighting against the ransomware with the eGambit Endpoint Security agent worked better than traditional security, though we remain humble as new threats could try to be more stealth.
Once the programs were identified automatically thanks to our robots and artificial intelligence engines worldwide, then the threats could be detected and neutralized directly.
Customers just need to apply for a good neutralization inside eGambit.