Practical Execution Control

Airlock Digital - Allowlisting Software

Airlock Digital - Allowlisting Software

Request a demo
Whitelisting & the Ransomware Worm
Back to Blogs

Whitelisting & the Ransomware Worm

15 May 2017

Ransomware activity has been rising steadily over the past four years, providing a low cost and successful income stream for criminal organisations. Over the past weekend however, the game was changed with ‘WannaCry’.

Traditional ransomware typically ran on a single end user system, encrypting files that were accessible on local disks and sometimes mapped network shares. The reason WannaCry had such a significant impact is the ability to spread aggressively through network connected computers (be that locally or over the internet) using a recently discovered Microsoft Windows SMB vulnerability. This vulnerability was patched by Microsoft in March 2017.

Even though WannaCry represents a worrying evolution in Ransomware tactics, the software itself isn’t designed with stealth and security evasion in mind. Simply by creating / mutating a new piece of software, the ransomware initially went undetected by nearly all traditional security products. The likely strategy with WannaCry was to hit the world hard and fast, before traditional security technologies like Anti-Virus and Network Intrusion Prevention has time to catch up and write detection signatures. The reactive nature of traditional security technologies are highlighted by the sheer number of hosts infected during this incident.

The Australian Signals Directorate’s (ASD) Strategies to Mitigate Cyber Security Incidents places Application Whitelisting as the number one ‘essential’ strategy to prevent malware delivery and execution. During the execution of WannaCry, five executable files are dropped and executed on the victims system. With the installation process involving the downloading of ‘Tor’ software to facilitate payment. If these executable files were proactively prevented from running, the attack would simply fail.

Incidents such as WannaCry demonstrate the need for proactive security solutions that make it extremely difficult for attackers to run malicious code. Application Whitelisting represents the most effective and proactive strategy to detect and prevent these attacks.

Share :

Our Latest Blogs

1 Feb 2023
Airlock v5.1 & v5.0.9 avail...
This month we are excited to announce the release of two new versions of Airlock: Airlock v5.0.9: This version is the Long Term Support (LTS) branch ...
Read more
7 Dec 2022
Risky business – is the ke...
This week Airlock Digital sponsored the Risky Business podcast #688 and spoke to Patrick Gray about admin to kernel as a security boundary, and the li...
Read more
29 Sep 2022
Risky business – why micro...
In this Soap Box podcast Patrick Gray interviews Airlock Digital CTO Daniel Schell and CEO David Cottingham about Microsoft’s new Smart Application ...
Read more
31 May 2022
Risky business – vsto offi...
This week Daniel Schell discussed some research done in house at Airlock Digital on the Risky Business podcast, regarding VSTO office files. Check it ...
Read more
17 May 2022
Make phishing great again. vsto ...
This article can also be read on medium here: https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightma...
Read more
22 Mar 2022
Risky biz soap box: why allowlis...
This week Airlock Digital co-founders Daniel Schell and Dave Cottingham join host Patrick Gray to talk about: What an effective allowlisting program ...
Read more
18 Jul 2021
Preventing ransomware and zero d...
Continued successful exploitation of the software supply chain As the world continues to assess the scope of the biggest global ransomware attack on ...
Read more