What is WannaCry?

On Friday, 12 May 2017, one of the largest cyber-attacks in modern history had started. Ransomware WannaCry (or WannaCrypt) had infected more than 230,000 computers in 150 countries in a very short time. It had global impact, spreading over the globe faster than any pandemic could – helpfully providing victims with translation in 28 different languages.

Fig 1: Infections during the last 24 hours, source malwaretech.com
Fig 1: Infections during the last 24 hours, source malwaretech.com

WannaCry infects enterprise networks remotely either by exploiting the SMB vulnerability or through phishing attack. After infecting the first machine, it exploits a vulnerability in SMB protocol (EternalBlue exploit) to quickly spread to all machines on the local network and internet. After infection, ransomware encrypts all data and installs DoublePulsar backdoor for remote control. The ransom note is then displayed.

Fig 2: Oops. When you see this screen, it is already too late.
Fig 2: Oops. When you see this screen, it is already too late.

According to Europol, this attack was unprecedented in scale. Was this the worst that we can expect?

We were lucky this time

94% of security breaches are related to espionage or financially motivated. With the proper motivation, we can expect to see not only more attacks, but also a lot more sophisticated attacks in near future. In March 2017 during the Pwn0Own hacking contest, Chaitin Security Research Lab has shown not one, but a chain of six (!) zero-day exploits joined together. They won $35,000 for this successful demonstration. According to the FBI, ransomware CryptoWall generated over $18m in revenue in 2015 alone. We can still only imagine what could be possible with the proper motivation.

It might be surprising, but WannaCry is a low-tech threat. It is not a zero-day attack – the patch from Microsoft has been available since March 2017. None of the techniques introduced is new or innovative in any way. The $300 ransom that was demanded was very low for the damage it has caused – and based on feedback from some of the companies that decided to pay the ransom, decryption and recovery of data is a fully manual process that was clearly not designed to scale. Based on everything we have seen, the success of WannaCry was a surprise not only to the companies worldwide, but also to the authors of the ransomware.

WannaCry accidentally left behind a hole thatallowed one of the security researchers to quickly activate the kill-switch that prevented it from spreading. Since then, new variants have been seen in the wild – v2 included the same kill switch and was quickly stopped by another security researcher and v3 contains a corrupted archive that prevents it from encrypting the files. This provided the necessary temporary relief for all the companies that could quickly patch or isolate their systems to stop the attack.

It is scary to think what the impact of WannaCry could have had if released by more professional group. Next time, we might not be so lucky. If (or should I say when?) professionals start using the real zero-day exploits, the situation will get more serious than it is today.

Why Citrix customers are not crying

The purpose of this blog post is not to summarize the WannaCry ransomware – you can read about it on almost every internet or major news web site. The goal of this blog post is to explain how Citrix solutions could be used to prevent, stop or minimize the impact of similar attack. This is not a new topic – my colleague Florin Lazurca wrote a blog post about ransomware and medical facilities over a year ago.

As the patch for EternalBlue has been available for almost two months, traditional advantages of VDI/RDS apply – single image management to quickly patch all systems, non-persistent machines for fast recovery and centralized management to improve response times. And if everything else fails, prompt disaster recovery and failover to backup data center. By using Citrix solutions, you could be more prepared when the next generation of malware strikes.

This ability to quickly patch large numbers of computers with few clicks is now even better than before. Our new Citrix App Layering supports not only traditional application layers, but also layered images. With layered images, you can update multiple separate images at once, replace the low-level components (such as hypervisor tools or drivers) on all images or manage images across multiple hypervisors. Understanding the capabilities of this new mode is important, as it enables Citrix App Layering to act as an operating system and application management solution.

Let’s quickly summarize the kill chain of the WannaCry ransomware:

  1. Infection – Single machine initially infected through spear phishing email
  2. Distribution – Ransomware distributed to all local machines through SMB exploit
  3. Extortion – All data encrypted, ransom demanded
Fig 3: WannaCry distribution in traditional IT environment.
Fig 3: WannaCry distribution in traditional IT environment.

Phase 1 – Infection

To prepare the best possible security defenses, it is important to understand the initial infection vector for these attacks. Per Data Breach Investigations Report 2017, a whopping 99.6% of ransomware is distributed by either email or a web browser. This is based on a sample of 50 million on-the-wire detections, provided by data from 65 sources.

Earlier this year, we worked with our partner Bitdefender on a technical whitepaper that is specifically targeting this infection vector, including a section about deployment tips and tricks and best practices. While this technical whitepaper is focused on secure browsing, secure email can be delivered using the same architecture with the same security benefits.

Secure Browsing – powered by Citrix XenApp, Citrix XenServer and Bitdefender HVI

Citrix XenServer is used as a preferred hypervisor in this architecture. XenServer includes a new unique security feature called XenServer Hypervisor Introspection, which enables third party security companies to leverage memory introspection techniques from a hypervisor-layer security appliance. Partners, such as Bitdefender can integrate with XenServer and work with the raw memory and without any in-guest (VM) agents. Bitdefender HVI detects techniques, rather than detecting patterns, which means that it can prevent even unknown attacks and exploits.

Bitdefender tested the Hypervisor Introspection against the EternalBlue (an exploit used as an initial attack vector by WannaCry) a month before the current wave of attacks and confirmed that any machine running on XenServer would not be impacted and the initial exploit would not be successful. This protection would work even on unpatched system or against another zero-day exploit that is using similar method

Phase 2 – Distribution

Traditional IT architecture does not provide sufficient protection from ransomware. From a security architecture perspective, the problem is that the most valuable assets, data, is stored on the same devices and network segment as the most vulnerable assets, endpoints. Any of the unprotected devices or any of the users that click on a phishing email can lead to a security incident.

Citrix XenApp has been used by many customers worldwide to provide this level of segmentation. The ability to take any existing client-server application and inject a middle-man in between is a very powerful tool in a security utility belt. Concept of Internet isolation is becoming more and more popular and we’re seeing increased interest from customers all around the world. Even if malware is successful during initial infection, it will reside in a non-persistent, isolated zone where it can be easily destroyed.

Fig 3: Segmentation of email and browser.
Fig 4: Segmentation of email and browser.

Your company is only as strong as its weakest link – this important principle is often ignored by companies that focus on components that are easy to secure, while leaving other, often older, parts of the environment exposed and vulnerable. The reason that healthcare has been hit so hard by this wave of ransomware attacks is due to often outdated devices that are still being used. As many as 70,000 NHS devices could have been affected, including magnetic resonance scanners, blood-storage fridges and other medical equipment. Securing the medical device that is still fully functional, costs $100k, but runs older version of embedded operating system and requires Windows client application is daily reality for many healthcare administrators. Citrix XenApp with NetScaler can be used to secure these devices, as well, while providing enough time for IT to solve the security issues. In the field, isolation combined with proper access control is often the most realistic approach to security.

When designing how you deploy and silo your applications, it is important to understand their behavior. This is often challenging, especially with older applications that are only passively maintain and original developer is no longer available. Citrix AppDNA can help you to analyze these older applications and better understand how to handle them. It also includes new module called Security and Compliance Manager, which can look for the most common vulnerabilities and identify security issues. If you have application that cannot be updated and includes a vulnerable SSL module, you can always isolate it on a dedicated set of servers.

Fig 5: Network isolation for medical devices.
Fig 5: Network isolation for medical devices.

Phase 3 – Extortion

It is very hard to talk about ransomware and avoid talking about the data. Preventing access to data is what ransomware it all about – whether it is done through a simple lockout from system or encryption of the files. If your multi-layered security has failed and ransomware have been successful in breaching your defenses, it is time to consider your next move.

An enterprise data sync service like Citrix ShareFile can be great advantage in recovering from a successful attack. The versioning functionality keeps previous versions of each file, so IT can revert impacted files to the last known version. This is very powerful combination with non-persistent machines, managed through a single image management solution like PVS or MCS. IT can quickly apply the patch, release new image to all machines, reset the whole environment to the last known state – and then simply recover the last know version of all files from a centralized backup.

ShareFile can not only help you to recover from an attack, it can also help to prevent it. ShareFile provides a support for various antivirus vendors that can automatically scan all uploaded files and data.

Fig 6: ShareFile with ICAP antivirus support.
Fig 6: ShareFile with ICAP antivirus support.

While traditional antivirus is still a critical part of security, new and more innovative approaches are needed. ShareFile provides API access for third-party cloud security platform partners, such as Avanan. Using this approach, ShareFile can not only scan any file using multiple (up to 40) AV engines, but also include advanced anti-malware solutions, like sandboxing or macro based detection.

Finally, ShareFile has a server-side detection for certain ransomware strains. For example when malware changes the file extensions, ShareFile can detect the change and prevent the client from overriding the server data.

Fig 7: Example security stack for ShareFile.
Fig 7: Example security stack for ShareFile.


IT security is like a disease that cannot be cured – you can only carefully treat it and hope that it will never hit any of your vital organs. Prevention, emergency planning, and recovery are more important than ever (and it feels that I’m using this phrase almost every week now) and it is important to have a security framework that can cover all your applications and data – from the old legacy systems to the latest and greatest SaaS/web apps. WannaCry was a glimpse of things to come and Citrix portfolio can help you to be better prepared for the next generation of malware.