WannaCry? You Don’t Have to Cry

Share Post

The victim list of recent WannaCry ransomware attack is already estimated to grow beyond 100,000 systems over 100 countries, including some mission-critical organizations like hospitals. Given the scope of its global destruction, does this mean that organizations are certainly doomed by this widespread attack? Not necessarily.

Like most highly damaging attacks, WannaCry is not a single event. It starts with one system, but its value to the attacker is in the "land and expand", i.e., the initial system is simply the on-ramp to the real goal of compromising a large number of victims especially business-critical file shares, applications and databases.


Niara, Aruba's recent acquisition in the User and Entity Behavior Analytics (UEBA) space, develops a comprehensive ML based solution which can detect the initial infection of WannaCry Ransomware attack effectively. Together with Aruba ClearPass, we can intercept and remediate this attack before it causes a larger damage inside the enterprise.

Supervised Machine Learning

After a machine is compromised by WannaCry, it will communicate with the attacker via command & control (C&C) channel. To evade traditional IOC blacklist-based detection, WannaCry is observed to use Domain Generation Algorithm (DGA) technique.

Niara solution detects DGA with an innovative supervised ML approach, which is trained with over 1M known DGA domains collected from 30 different families including Zeus, Cryptolocker, Conficker etc. Since the ML model uses adaptive features like domain character distribution, length and WHOIS information, it's very robust to detect DGA domains which we've not even seen before.

We've verified that most of the reported WannaCry C&C IOCs including  "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com" and other TOR IOCs reported in AlienVault's OTX community, like xxlvbrloxvriy2c5[.]onion, sqjolphimrr7jqw6[.]onion, 76jdd2ir2embyv47[.]onion etc, have been successfully detected as DGA by Niara solution.

Unsupervised Machine Learning

As pointed out in many WannaCry blogs, each WannaCry compromised system also acts as a bot scanning over enterprise network over Windows SMB file sharing protocol (port 445) to find other vulnerable systems.

Niara's UEBA solution monitors and profiles the "normal" baseline behavior of each machine inside the enterprise, and automatically detect anomalies using unsupervised ML algorithms.

We've successfully detected multiple behavior anomalies from WannaCry compromised machines, e.g., connection to excessive internal hosts, usage of new port accessing new hosts, and attempt to access restricted network zones like PCI zone.

Stateful Entity Risk Scoring

Niara's entity scoring solution automatically aggregates signals under the same entity over different kill-chain stages and uses Markov Model to track the temporal state jump of each entity to detect compromised machines.

In this case, once we align all the above signals under the same machine in the right temporal order, we can detect these initially compromised machines timely and with high confidence before they spread the damage inside the enterprise.

Proactive Response

Detecting Ransomware progress is only the first step in a successful defense. The infected system must be taken off the network before the malware finds another foothold in the network.

enterprise.laptop.GettyImages-533979243.clearpass.jpgNiara is integrated with ClearPass Policy Manager and when compromised system is detected, it sends an alert to ClearPass.  ClearPass knows what and who is on the network and its policy engine can be programmed to respond to Niara's "suspected Ransomware" alert by immediately taking the infected system off the network.

Aruba is building on a 15-year history of providing secure and protected wired and wireless access to deliver the visibility and control of ClearPass, now combined with Niara's advanced attack detection to provide a proactive, 3600 defense against powerful multi-stage attacks.

Jisheng Wang is the senior director of data science in the office of the CTO for Aruba, a Hewlett Packard Enterprise company.