News & Events

Defending against the WanaCrypt0r Ransomware attacks with Palo Alto Networks

  • 15 May, 2017

Industry News, Palo Alto Networks, Security

It must have been quite the challenge to have gone through this entire weekends news cycle without hearing something about a major cyber-attack in the form of Ransomware that has ‘crippled’ the NHS in the UK, Telefonica in Spain and other organisations.

The particular strain that caused such mayhem over the weekend fortunately contained a kill-switch, which was activated inadvertently by a UK-based Security researcher. Unfortunately, we have already seen new versions of this Ransomware appear without the kill-switch, so the chaos is likely only temporarily averted.

Much of the talk in the press has been on Windows XP and how vulnerable it is, but this shouldn’t let people get away from the fact that lacklustre Security is going to put you at risk, whichever OS you are running.

Over the weekend, our technical team conducted a number of tests with WannaCrypt0r and Palo Alto Networks Security products and we’re pleased to report that the malicious software was contained safely and without harm on our test environments. A fact that has also been confirmed by numerous customers contacting Palo Alto, grateful that their product kept them safe from such a major issue.

The Palo Alto Networks Next Generation platform was able to automatically create, deliver and enforce protections against this attack.


The Ransomware Attack process


WanaCrypt0r attacks begin in an organisation through an email-based phishing delivery mechanism which includes a malicious link and/or PDF document. Once successful, the attack will result in the delivery of the WanaCrypt0r Ransomware on the target system. At this point the Ransomware attempts to spread across the network using the SMB protocol which exploits the EternalBlue vulnerability (CVE-2017-0144) on Microsoft Windows systems.

This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017, and was addressed by Microsoft in March 2017 with MS17-010. Microsoft published a post on protections from the WanaCrypt0r attacks here, and has taken the drastic step of providing patches for versions of Windows software that are no longer supported, including the now much-maligned Windows XP.

traps detecting wanacrypt0r

Prevention with Palo Alto Networks


All of our customers using Palo Alto Networks products are protected through the Next-Generation Security Platform. The Next Generation Security Platform employs a prevention-based approach which seeks to automatically stop threats across the attack lifecycle.

You don’t need to be using the full suite of Palo Alto Networks products to have been protected from this attack. There are multiple pieces to the Palo Alto Networks Next Generation Security Platform and thus there are multiple ways to be protected from WanaCrypt0r Ransomware, including:


WildFire classifies all known samples as malware, automatically blocking malicious content from being delivered to users.

Threat Prevention enforces IPS signatures for the vulnerability exploit (CVE-2017-0144 – MS17-010) used in this attack: SMB vulnerability – ETERNALBLUE.

URL Filtering monitors malicious URLs used and will enforce protections if needed.

DNS Sinkholing can be used to identify infected hosts on the network. For more, please reference the product documentation for best practices.

Traps prevents the execution of the WanaCrypt0r malware on endpoints.

AutoFocus tracks the attack for threat analytics and hunting via the WanaCrypt0r tag.

GlobalProtect extends WildFire and Threat Prevention protections to remote users and ensures consistent coverage across all locations.

This example is specifically dealing with the recent Wanacrypt0r Ransomware attack and should serve to provide an idea of the various levels of detection and prevention on offer from a variety of Palo Alto Networks products.

The very same protection mechanisms will of course work in similar ways against all types of Ransomware and various other threats.

Focusing on the Palo Alto Networks Traps Endpoint Security Defence


With the Palo Alto Networks Traps multi-method prevention approach, WanaCrypt0r is prevented at several points in the early stages of an attack. In cases where the initial malware is successfully delivered to the endpoint, Traps automatically blocks the execution of the WanaCrypt0r malware at multiple points via the following actions:


– Cross referencing the WildFire Threat Intelligence Cloud for known malicious samples of WanaCrypt0r (enabled by default.

– Examining hundreds of characteristics of the file with local analysis via machine learning (enabled by default)

– Submitting the unknown executable to WildFire for full inspection and analysis (automated, no action needed)

– Configuring Execution restrictions so that known locations and executables associated with WanaCrypt0r are blocked (needs to be configured)


In addition to the above prevention methods, Child Process Protection offered in the version of Traps (v4.0) prevents several techniques used by WanaCrypt0r to propagate across a victim’s network.

Closing thoughts


Cyber Security remains an arms race with rapidly evolving threats and an ever-growing army of people willing to attack organisations, either for personal reasons, political reasons or financial reasons.

There are no guarantees that you can be protected from every vulnerability or attack, but with the right Security strategy and an well-planned harmonised combination of solutions, you can maximise your chances of successfully preventing an attack and even stop yourself from becoming a ‘patient zero’.

If you’d like to learn more about the Palo Alto Networks Next Generation Security Platform or would like to discuss your Security strategy and work with us to develop a roadmap and on-going strategy then please get in touch with us here.

Get in touch with us

Contact us to discuss your Security Strategy