Traps Protections Against WanaCrypt0r Ransomware Attacks

Michael Moshiri


Category: Endpoint

The WanaCrypt0r ransomware attacks that began on Friday, May 12, 2017, continue to impact systems of public and private organizations worldwide. In this post, I will outline the protections that Traps advanced endpoint protection delivers to our customers against this ransomware attack, as well as any actions our customers may need to take to bolster protections against WanaCrypt0r.

WanaCrypt0r Ransomware

Although the initial infection vector for WanaCrypt0r ransomware (a.k.a. WannaCry and WCry) is still under investigation, many attacks observed, so far, have compromised at least one endpoint in a network before spreading to other systems by exploiting a vulnerability in the SMB protocol on Microsoft Windows systems (CVE-2017-0144, “EternalBlue”). Microsoft patched this vulnerability in March and took the extraordinary step of also covering such systems as Windows XP that are no longer receiving security patches.

On unpatched Windows systems where this SMB protocol vulnerability can be exploited, the initially compromised endpoint remotely delivers the WanaCrypt0r sample to the target host system and executes the malware. The newly compromised endpoint will then repeat this cycle with other hosts it can reach on the network, propagating the attack in the process. Data files on each compromised endpoint are also encrypted to extract ransom money from victims.

Traps Protections Against WanaCrypt0r

The multi-method prevention approach of Traps delivers several protections that block the malware execution in the early stages of the WanaCrypt0r attack. In cases where the initial malware is successfully delivered to the endpoint (see below for how our Next-Generation Security Platform can prevent this), Traps automatically blocks the attacker’s attempt to execute the WanaCrypt0r malware.

Preventing WanaCrypt0r Malware Execution

Most Traps customers don’t need to make any changes to their default policies and configurations to prevent WanaCrypt0r attacks. Traps v4.0 (released in May 2017) and v3.4 (released in August 2016) prevent the execution of WanaCrypt0r on Windows endpoints through the following malware prevention methods:

  • WildFire Threat Intelligence: WildFire automatically classifies as malware all samples of WanaCrypt0r that have been seen elsewhere by our threat intelligence partners, third-party feeds, and our 15,500 customers who subscribe to WildFire. As new samples of this malware are discovered across the globe, WildFire will automatically create and deliver updated controls to block these variants on endpoints protected by Traps. Because this malware prevention method is enabled by default, Traps customers don’t need to modify their policy configurations to receive this protection, unless they have disabled this protection.
  • Local Analysis via Machine Learning: The local analysis malware prevention method blocks the execution of new and never-before-seen variants of WanaCrypt0r before they can compromise endpoints. Because local analysis does not use virus signatures, Traps customers have been receiving this protection since before the first reports of this ransomware attack surfaced on Friday. In addition, this malware prevention method is enabled by default, so Traps customers don’t need to modify their policy configurations to receive this protection, unless they have disabled it.
  • WildFire Inspection and Analysis: In conjunction with local analysis, Traps automatically submits unknown executables to WildFire for full inspection and analysis. WildFire, in turn, automatically creates and shares a new prevention control with Traps (as well as other components of the Palo Alto Networks Next-Generation Security Platform) in as few as five minutes, without human intervention. This malware prevention method can identify new and unknown variants of WanaCryp0r, as well as other malware. In addition, Traps customers can easily configure this protection to prevent the execution of any unknown program until a WildFire verdict is available. This additional restriction is not activated by default in Traps v3.4 and v4.0, and in most cases, not necessary to block WanaCryp0r ransomware.
  • Execution Restrictions: These restrictions can prevent WanaCryp0r from executing the malware programs that it creates in temporary folders on the target machines. Execution restriction can serve as an added layer of protection to supplement the WildFire and local analysis prevention methods that are available by default. Traps customers with high security requirements can choose to augment the default protections with this prevention method. However, this must be configured manually: there are currently no confirmed, inclusive lists of known locations and executables associated with WanaCrypt0r, so Traps customers should consider adding new execution restrictions on a case-by-case basis.

Preventing WanaCrypt0r Malware Propagation

In addition to the malware prevention methods above, the Child Process Protection introduced in Traps v4.0 prevents several techniques used by WanaCrypt0r to propagate across a victim’s network. Palo Alto Networks has released a content update (#15-1078, available to our customers on the Support Portal) to automate the process of applying specific Child Process Protection policies in Traps v4.0. We recommend that customers apply this update when possible.

Traps and the Next-Generation Security Platform

As an integral component of the Palo Alto Networks Next-Generation Security Platform, Traps protections are continuously strengthened by the threat intelligence our customers share with the platform. Customers who use Traps in a stand-alone deployment (where no other Palo Alto Networks technologies are deployed) benefit from the platform by blocking variants of WanaCrypt0r that have been encountered first by our other customers.

In addition to these strong default protections, customers who deploy Traps along with other components of the Next-Generation Security Platform can block WanaCrypt0r ransomware across the entire attack lifecycle through multiple complementary prevention controls. These controls are outlined in the blog post “Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks.

The WanaCrypt0r ransomware attack is still evolving. New and updated variations of this ransomware may still be discovered in the near future. I will update this post with additional details about Traps protections as new information becomes available.


Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS