20162171025_Anish_Shah(CS)

Practical-1

The organization needs to gather threat intelligence specifically focused on the Wannacry ransomware
to enhance its cybersecurity posture and effectively defend against potential Wannacry attacks. The
objective is to obtain actionable intelligence regarding the Wannacry ransomware's propagation
methods, exploit techniques, command-and-control infrastructure, and any new variants or
modifications that may have emerged since the initial outbreak. By gathering this intelligence, the
organization aims to proactively identify potential vulnerabilities in its systems, strengthen security
controls, develop effective incident response plans, and educate its employees on best practices to
prevent Wannacry infections. Ultimately, the organization seeks to minimize the risk of falling victim
to Wannacry ransomware attacks and safeguard its critical data and operations.

Additional Task: Find out Threat Intelligence Indicators of compromise (IoCs) for NotPetya attack like
IP addresses, domain names, URLs, email address, malware hashes, file names, file extensions, CVEs,
Initial attack vector and propagation techniques. Mention the recommendation to remediate NotPetya
attack.

IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats,
aggregation of intelligence, and collaboration with peers.

Create an Account: In order to better visuals and more data on what happened during these attacks we
are going to use IBM’s X-Force Exchange. This is a completely free service, but you will need to create
an account.

To complete this activity, follow the instructions described in the link included below
http://ibm.biz/sacloud
20162171025_Anish_Shah(CS)

Deep Dive
Let’s continue our investigation of WannaCry.
1. Click “View More” at the bottom of Public Collections.

2. In the search bar type in “WannaCry”.

20162171025_Anish_Shah(CS)

3. Select the WannaCry collections folder.

The Collections folder contains over 280 reports on the activities of the WannaCry ransomware. What
we are interested in for this lab is the most recent Botnet report. This will give an excellent visual on
where the ransomware was last active.

4. Click the most recent Botnet report on the right side.

The Botnet report contains when the attack was last captured, if the attack has more or less botnet
clients than previous attacks, when the attack was at its strongest, how many people were affected, as
well as a list of the countries affected and a map which displays the severity in each country.
20162171025_Anish_Shah(CS)

Taking a look at Threats Today

X-Force Exchange offers a plethora of information on past cyberattacks, but what we need to know, as
security experts, is “What is plaguing the world right now?” X-Force Exchange can help us out with
this as well.

1. Navigate back to the X-Force homepage.

2. Click on View malicious activity map under Malicious Activity. X-Force Exchange scans the globe
and sends reports of current threat activity in real time. Scrolling over a report will halt more reports
coming in and highlight the country affected by that attack.
20162171025_Anish_Shah(CS)

3. Click on “Spam” at the bottom of the page.

4. A list of categorized IP addresses will appear that have all been connected to recent spam attacks.

5. Click on one of the captured IP Addresses.

This Threat Report contains a risk score, from 1-10, that gives a general impression of how credible the
threat from this IP is. It also provides us with further data that can be used by a team of security
20162171025_Anish_Shah(CS)

analysts to help pinpoint where the attack took place, who was attacked, and not only the date, but the
exact timeframe of when the attack was active.

6. Follow the incident by clicking the Follow button at the top right of the report. This will send you a
notification if there are any new instances or changes to the report, so you do not need to keep checking
in manually.
7. Return to the homepage, open up the notification tab on the top right, and click on the following link
to see a list of what you are currently following.

Milestone Summary:
X-Force Exchange can be crucial for Cybersecurity and cyber awareness. With X-Force Exchange, we
can monitor the online environment, in real-time, and actively follow known security issues. Security
concerns can be investigated to not only tell us where the problem originated, but who has been
affected and what type of systems are under threat.

ADDITIONAL TASK:
Find out Threat Intelligence Indicators of compromise (IoCs) for NotPetya attack like IP addresses,
domain names, URLs, email address, malware hashes, file names, file extensions, CVEs, Initial attack
vector and propagation techniques.
About NotPetya Attack:
● The NotPetya attack, also known as Petya or ExPetr, was a large-scale and destructive cyberattack
that occurred in June 2017.
● It initially appeared to be a ransomware attack called Petya but was later found to be a destructive
wiper malware masquerading as ransomware.
● The attack targeted businesses and organizations worldwide, with Ukraine being the primary target. It
spread rapidly using the EternalBlue exploit, which took advantage of a vulnerability in Windows
systems.
20162171025_Anish_Shah(CS)

● NotPetya encrypted the master boot record of infected computers and demanded a ransom, but the
email for payment was quickly shut down.
● Attribution pointed towards Russian state-sponsored actors, making it a significant incident
highlighting the importance of cybersecurity and timely software updates.
Now, let’s find the IOCs for NotPetya Attack. To do so, perform the following steps:
1. Go to IBM X-Force Exchange site, under the Public Collections, Search for NotPetya.
Click on the last option, Petya (NotPetya) Ransomware:

Hash:
(SHA256) 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

2. Finding the IOCs using virustotal:

20162171025_Anish_Shah(CS)

3. Now, we will look in the IBM X-Force Exchange Below is the Indicators, Email Address and
killswitch, File Information and analysis, Initial Vector, Affected Platforms, Affected Geographics,
Affected Sectors,

Steps to remediate NotPetya Attack:

20162171025_Anish_Shah(CS)

1. Isolate Infected Systems : As soon as you suspect a NotPetya attack, disconnect the affected
systems from the network to prevent further spread. This can help contain the infection and
limit its impact.

2. Confirm the Infection : Verify that you are indeed dealing with NotPetya or any other
malware. Analyze the behavior, signs, and symptoms to ensure an accurate diagnosis.

3. Notify Relevant Parties : Inform your organization's IT security team, incident response team,
or external cybersecurity experts about the attack. Timely communication is crucial for an
effective response.

4. Take Systems Offline : Shut down the infected systems completely to halt the malware's
activity and avoid additional damage.

5. Identify the Entry Point : Conduct a thorough investigation to determine how NotPetya
entered your network. This step helps prevent a future recurrence and addresses any
vulnerabilities.

6. Restore from Known Good Backups : If possible, restore affected systems from clean
backups taken before the attack. This process ensures that no malware remains on the restored
systems.

7. Patch and Update : Apply the latest security patches and updates to all systems and software.
This step helps close any security gaps and prevents known vulnerabilities from being
exploited.

8. Implement Network Segmentation : Divide your network into isolated segments with
restricted communication paths. This measure helps contain malware and limits its ability to
spread.

9. Improve Security Measures : Evaluate your organization's security infrastructure and

implement additional security measures, such as robust firewalls, intrusion detection systems,
and endpoint protection.

10.Educate Employees : Train your staff about cybersecurity best practices, including how to
identify and report suspicious activities. Human error is often a significant factor in successful
cyberattacks.

11.Monitor for Resurgence : Keep a close eye on your network for any signs of the malware
returning. Continuously monitor your systems for unusual behavior and indicators of
compromise.

12.Engage with Law Enforcement : Work with law enforcement agencies, such as the local
police or cybercrime units, to report the attack and potentially help with the investigation.
20162171025_Anish_Shah(CS)

13.Communication Plan : Develop a communication plan to keep all stakeholders, including

employees, customers, partners, and the public, informed about the situation and the steps taken
to remediate the attack.

14.Conduct a Post-Incident Review : Once the immediate threat is addressed, conduct a thorough
post-incident review. Identify weaknesses, gaps, and areas for improvement to strengthen your
organization's security posture.