WannaCry Infects Health Care Provider
The Network: A not-for-profit 501(c)(3) community asset providing healthcare related services in many states in the southeast United States.
The Expectation: Prevention defenses are working (Anti-Virus, Next-Gen Firewall) and monitoring is in place to catch anything that slips through the prevention layer.
The Catch: Netsurion identified and terminated an instance of WannaCry.
The Find: A user was tricked into clicking an infected attachment in a phishing email, resulting in tor.exe being dropped into the user subfolder on the desktop. The Netsurion sensor reported the launch of tor.exe as an unknown process. Shortly thereafter, tor.exe was observed communicating with the IP address 126.96.36.199. These are published indicators of compromise (IoC) of WannaCry.
The Fix: Quarantine the infected desktop; ideally re-image the infected laptop before returning to service. Scan all machines on the network for vulnerabilities (especially MS17-010). Limit traffic to/from ports 139 and 445 to internal hosts only.
The Lesson: Stop relying exclusively on anti-virus and next generation firewall. Think defense in depth such as Netsurion’s Managed Threat Protection. Monitoring DNS activity and network traffic are other excellent techniques.