Cohort Software – Statement of Assurance of protection against WanaDecrypt0r/EternalBlue derived Ransomware Vulnerability


On Friday 12th May 2017 a Ransomware Trojan was released onto the public Internet which contained a variant of a known Ransomware payload (WanaDecrypt0r/WannaCry/WNCRY) coupled with a previously unseen distribution method based around an exploit in the SMB/CIFS protocol (EternalBlue).

The Cohort hosted platform and all systems hosted therein were patched against the exploit in March 2017 within 10 days of release by Microsoft. All systems are protected by daily updated Anti-Malware software. Unrestricted outbound Internet access is denied on all customer facing systems. Network segregation is in place to ensure only specific traffic can pass between servers of differing roles.

This document details the systems and procedures that are in place now and before the current outbreak. No changes have been required to further secure the systems. However we will continue to monitor responses from the IT community and apply lessons learnt from other organisations to further secure our infrastructure if appropriate.

Initial Distribution Protection

It is currently unclear how the initial distribution of the WanaDecrypt0r/EternalBlue ransomware was achieved; however most other Ransomware is distributed via email using phishing approaches or other ways to dupe users into downloading the malicious code.

To protect against these attacks the hosted systems of the Cohort Application do not have direct outbound access to the Public Internet, where Internet based services are used they are protected as follows:

SMS Gateway: Access locked down to specific destination IP range of SMS service provider only from those servers with the option enabled.

Email: Access only via internally hosted SMTP gateway servers with active Anti-Virus and Anti-Spam services in place.

Web Access from Servers: This traffic is denied.

Post Infection Distribution Protection

The WanaDecrypt0r/EternalBlue ransomware leveraged a recently disclosed exploit in the SMB protocol used by Microsoft Windows operating systems.

A patch was released by Microsoft on 14th March 2017 as part of their Patch Tuesday release. This was for all supported operating systems. Meaning the exploit was present in even the most recent of Windows releases (Windows 10 & Windows Server 2016), although it is unclear at this state which specific operating systems were vulnerable without the patch.

The servers running the Cohort system utilise Windows Server 2008 R2, Windows Server 2012 R2 & Windows Server 2016.

The patching policy in place meant that all development, test and production servers were patched with this fix in a staggered rollout between the 16th and 24th March 2017 in line with the agreed monthly patching process. Our internal systems, both server and client, are also patched to the same level in the same interval but on a geographically separate and network segregated environment.

All servers also reside on role specific VLANs within the hosting environment which segregates systems, this would further restrict spread should an exploit enter the system.

This means all internal and customer facing systems managed by Cohort were protected against the exploit used to distribute the Ransomware.

Payload Protection

Should any Ransomware breach these previously described defences, we have centrally managed & monitored Anti-Virus protection running on all servers which with definition signatures update on a daily basis at 2AM each day. This can be manually overridden for an immediate update of definitions where needed.