Michael Gotham

Blocking WannaCry with Netwitness Endpoint

Blog Post created by Michael Gotham Employee on May 15, 2017

On Friday, May 12th 2017, one of the largest ransomware attacks in history was launched using WannaCry infecting more than 230,000 computers in 150 countries in a matter of days.  Attackers are demanding ransom payments using Bitcoin, with amounts increasing as time goes on. The attack has been described by international organizations like Europol as unprecedented in scale.


When executed, the malware first checks for a specifically generated kill switch domain . If it is not found, then the ransomware will begin to encrypt data on the computer.  WannaCry has a second stage that attempts to exploit the SMB vulnerability MS17-010 to spread out to random computers on the Internet, and laterally to computers within an organization.


RSA Netwitness Endpoint can not only help detect this activity (WannaCry from the RSA NetWitness Suite's Perspective ), but also proactively block it to stop the spread and reduce further damage from infection.



Customers should take caution when blocking files with Netwitness Endpoint.  Netwitness Endpoint will not block files signed by Microsoft or the RSA Netwitness Endpoint (ECAT) driver.  However any other SHA256 hashes entered via blacklisting in the GUI with the blocking option enabled or directly into the NWE database will be blocked.  Netwitness Endpoint has safeguards in place, including prevention of blocking if a module is present on more than "x" number of systems.  This is configurable.  Also blocking must be enabled at the group level and globally.  Machines by default will inherent this setting from their group, but can also be enabled or disabled at the individual machine.


Blocking Global Parameters

The attached SQL query can be run to block 241 different variants of WannaCry.  Additional SHA256 hashes can be added to the block list by following the same format in the SQL query.  It needs to be run in SQL Server Management Studio against the NWE database (By default this is named ECAT$PRIMARY).


SSMS Query


After this is completed make sure to select Tools->Force Blocking Status Update to push the changes to the NWE agents.  



You can verify this is successful by checking the "BlockingHashes" table on the NWE database as well as the agents in c:\Program Data\ecatservice


Confirm Hash DB Update