Attivo Networks Blogs

Deception Derails Ransomware: WannaCry Analyzed by Attivo Labs

As ransomware attacks continue to claim hundreds of thousands of victims, organizations are scrambling to figure out if their current security tools can effectively stop, detect, and remediate large-scale ransomware attacks.

While the major WannaCry ransomware attack was stopped by an uncovered kill switch, experts fear a resurgence of new strains without such shortcomings. Now, more than ever, organizations across all industries need to strengthen their defenses against these aggressive and damaging attacks.

Many organizations have adopted deception technology as a tool to detect and help remediate ransomware attacks that have bypassed perimeter security devices. Deception technology sets up a system of lures and decoys throughout the network to confuse and misdirect attackers, leading them to ultimately reveal themselves. Since deception technology is engagement-based, alerting only when an attack has engaged with a lure or decoy, detection is not reliant on signatures or known attack patterns, making it ideal for repackaged and polymorphic attacks.

With the most comprehensive deception solution, the Attivo Networks Deception and Response Platform provides features that specifically work to derail ransomware attacks. Engineers Chintan Shah and Ashutosh Raina at Attivo Networks Labs analyzed the latest version of the WannaCry ransomware. Here are their findings:

The first step is detection. When the WannaCry ransomware enters a subnet, it conducts an initial scan of the local SMB ports. The ransomware exhibits worm like functionality, infecting other computers on the network, exploiting SMB vulnerability MS17-010, and spreading on its own. While this type of activity usually goes unnoticed by blending in with the “normal” activity on the network, it is easily detected by the Attivo BOTsink solution.

When the BOTsink solution is present on the same subnet as the ransomware, the BOTsink engagement server will catch the SMB port scan and raise an alert to the security team that an attacker is present on the network. Furthermore, the BOTsink solution is designed to lure attackers in; after the initial scan, the ransomware will infect the BOTsink and the security team will be alerted to the ransomware attack. Once infected, the BOTsink analysis engine gathers detailed attack forensics and relays reports not only to the security team, but also to other security tools in the network (SIEM, Firewall, NAC, End-point) to automate and accelerate incident response.

Time is an extremely valuable resource in any cyberattack, but especially critical in ransomware attacks. By detecting ransomware in the first stage of the attack, organizations have time to take action to protect their network. The Attivo Deception and Response Platform does more than just save time.

Slowing ransomware down by 25x. Deploying deception gives organizations the tools to go on the offensive against ransomware.

WannaCry, the latest ransomware strain that wreaked havoc on over 200,000 victims, works by infecting and encrypting attached network shares on a device. The Attivo ThreatStrike end-point lures, however, combat this process by having SMB shares mapped to the BOTsink decoy engagement VMs. Therefore, when ransomware infects a device that has ThreatStrike SMB lures installed, the ransomware encrypts the mapped decoy network shares. In testing trials of this technology, it was noted that it can slow down the encryption attack cycle by a factor of 25x times by keeping the ransomware busy by encrypting a continuous feed of deception files.

Below screen captures show ransomware using deceptive credentials planted by the ThreatStike suite and infecting network shares.

The BOTsink solution projects decoys VM’s using real operating systems. When ransomware infects one of the decoy VM’s the decoy turns into a full sandbox and captures the entire attack activity.

Below are some of the YARA rules triggered which describe the malware behavior.

The BOTsink analysis engine also captures the packet capture of the attack activity.

The benefits of slowing down a ransomware attack are numerous. As noted before, time is an extremely critical resource in an attack. By taking offensive actions to slow the ransomware, the security team is afforded significantly more time to take steps to inoculate the threat before it further damages the network.

By misdirecting an attack with decoy network shares, security teams have the opportunity to quarantine the threat by leveraging 3rd party integrations.

Quarantine the threat. Once ransomware engages the decoy network shares, the BOTsink sends detailed attack forensics to 3rd party end-point containment providers (Aruba, Carbon Black, McAfee, Cisco, ForeScout). When the forensics are sent, security teams can choose to either automatically or manually quarantine the threat to stop it from spreading to other systems in their network.

By providing automatic quarantine abilities, the Attivo Deception Platform gives security teams the ability to derail ransomware attacks, avoiding not only an encrypted network, but also having to pay exorbitant ransom prices.

Through early detection, slowing the encryption process, and accelerated quarantine, Attivo Networks offers a new tool for security teams to go on the offensive against major ransomware attacks.

For information on a healthcare provider using Attivo Networks against ransomware, read Deception Technology Derails Ransomware Attack on Regional Healthcare Provider

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

20 − six =

Ready to find out what’s lurking in your network?

Scroll to Top