GreyCortex detects WannaCry ransomware basing on network behavior

By 26 May 2017AI, Security

GreyCortex has examined the behavior of the WannaCry ransomware in a network using its Mendel Network Traffic Analysis tool. As Martin Korec, Lead Analyst at GreyCortex says, “detection of WannaCry and other similar ransomware is easy and fast through the use of advanced behavioral methods. In the case of WannaCry infection, detailed visibility into network traffic is absolutely crucial. From there, it is possible to quickly analyze the extent of the infection, to isolate infected devices, and to keep critical systems running.”

Mendel is an innovative AI-based solution for detection and neutralization of network threats. Unlike firewalls and antivirus software, it is not only reactive; instead of blocking malicious behavior, it identifies the presence of malware in the network when it hasn’t yet been activated. You can read more about this solution here.

GreyCortex’s analysis shows that if a network traffic analysis tool is deployed, WannaCry ransomware can be quickly detected and stopped before files on the affected systems are encrypted. To do this, it is necessary to be able to quickly and effectively detect the behavioral anomalies exhibited by this ransomware, and others like it.

In order to stop the infection rapidly and effectively, it is also necessary to have detailed visibility into real-time network traffic. Using network traffic visibility, organizations can accurately analyze the extent of infection, isolate infected devices, and protect critical systems that are important to the organization.

“We were surprised that this ransomware behaves in an unusually aggressive way on the network. In addition to easily discoverable methods, like port scanning on port 445, we detected a whole series of anomalies,” like attempts to connect to more than 4000 devices in 175 countries, in just five minutes,” adds Michal Šrubař, Malware Lab Manager at GreyCortex. The infection also attacked the internal network. It managed to connect to shared storage on another computer in the local network, where it encrypted files as well.

Traditional methods of protection against these types of threats often fail. Korec notes that while “antivirus and firewall vendors managed to create detection rules for WannaCry in a matter of hours, in the future it will be difficult to use antivirus and firewall rules to protect against modified versions of WannaCry or other ransomware which exploit similar vulnerabilities, because detection rules can be developed only after new infections occur.”

Leave a Reply