Ransomware Simulation (WannaCry)
Ransomware is a deliverable payload packaged in trojans, malware or other types of viruses that locks important data systems until a payment has been made. The attacker prompts you to pay the ransom so that you can receive the decryption key to unlock the encrypted files. Encryption is the process of converting information or data into a code, while decryptions is the inverse to this example. Though ransomware has recently gained traffic in the last year, it has been around for decades. The only difference is that malware can be easily distributed to many on the internet instead of just a few PC’s via floppy disk. Threatcare offers ransomware simulation for organizations to verify that they are protected.
WannaCry ransomware spread through the Server Message Block (SMB) protocol, that’s typically used by Windows machines communicates with file systems over a network. Machines that support SMBv1 without the MS-17 security patch were vulnerable to spreading the malware via SMB to other at-risk boxes. That was until the kill switch domains were captured and registered to prevent the WannaCry execution on systems.
Detect WannaCry Ransomware Traffic
Threatcare offers proactive cyber defense verifying protection against ransomware and other threats. This simulation communicates with the WannaCry killswitch domains such as:
Threatcare’s Violet platform is a BAS (Break and Attack Simulation) technology SaaS that helps companies detect WannaCry ransomware command-and-control (C2) communications. We want to help you leverage your threat intelligence. Whether you use the open source threat intelligence feeds or have purchased enterprise threat intelligence, these domains should not be able to be accessed from within your organization. We also test lateral movement detection, using TCP/IP full connections targeting SMB port 445 – which should be seen suspicious and deemed an indicator of compromise (IOC).
This is how Threatcare helps discover risk and helps validate your risk mitigation controls.
The WannaCry ransomware simulation initiates an HTTP GET request to WannaCry-related domains that have been sinkholed.
The WannaCry ransomware simulation also initiates lateral movement using TCP/IP full connections targeting SMB port 445.
From the WannaCry ransomware simulation you’re a click away from your logs with our solution integrated results page to check your DNS logs for domains and IP addresses associated with this simulation, and your network monitoring logs for evidence of lateral movement.