WannaCry is a ransomware variant that made its debut on Friday, May 12, 2017. What makes this variant unique is its method of spreading. WannaCry is entirely self-replicating; the first recorded instance of a “cryptoworm”, or self-propagating ransomware.
It is purported that the ransomware worm was initially distributed via phishing emails with infected attachments. The initial infections then spread rapidly using the “ETERNALBLUE” exploit and the “DOUBLEPULSAR” backdoor that was released by The Shadow Brokers in April of 2017. These tools were released along with a massive cache of what is believed to be malware and exploitation tools used by the “EQUATIONGROUP” nation-state actors.
Upon execution, the malware both attempts to propagate itself and drops the payload executable that goes through the infected system, encrypting files. The infographic below, provided by Amanda “malwareunicorn” Rousseau, describes the actions the malware takes upon execution. The original image can be found here.
The first action that the malware takes upon execution is to connect to the domain: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the connection is successful, the malware immediately self-destructs and halts its propagation. This is being referred to as the worm’s "kill switch" that the authors built in as a fail-safe to prevent the ransomware from spreading uncontrollably. Early on, security researchers identified this domain by analyzing the malware’s activity. Observing that the domain did not yet exist, one researcher known as “malwaretech” registered the domain to a sinkhole server under his control that same Friday, and is largely responsible for halting the initial worm’s spread.
Since the initial worm on Friday, now dubbed “WannaCry v1”, copycats have entered the fray. The way the worm was constructed would allow anyone to trivially change out the payload that searches for the kill switch domain to a payload that does not utilize a kill switch domain at all, or utilizes a new kill switch domain. So, solely relying on lookups to the kill switch domain as a method of detection is ill-advised.
In addition to the kill switch domains, US-CERT has issued a notification regarding the initial Wcry infection, along with a pair of Yara rules for enhanced detection, and a slew of recommendations to mitigate the worm.
HURRICANE LABS RECOMMENDATIONS: IMMEDIATE ACTIONS TO TAKE
- If at all possible, patch any and all Windows systems against MS17-010. Microsoft is considering this to be a critical enough problem that they have provided patches to unsupported Windows platforms to help contain the worm and prevent its spread; namely Windows XP, Server 2003, and Windows 8. If you have not applied MS17-010 already, consider this a top priority and patch immediately.
- Block all network connections on Port 139/tcp and Port 445/tcp both to the internet (egress) and inbound from the internet (ingress) in order to both prevent attacks against your infrastructure and also to prevent potentially compromised systems from spreading the worm further.
- If your Windows environment consists of systems running Windows Vista, or newer (e.g. Windows Vista, Windows 7, Windows 8.x, Windows 10, Server 2008, 2012, or 2016), disable the SMBv1 protocol entirely. Microsoft has provided various methods for disabling SMBv1. SMBv1 is considered a legacy protocol in these versions of Windows, and there is absolutely no downside to disabling it entirely.
- Consider utilizing a vulnerability scanner to verify that MS17-010 patches have been applied to Windows systems across your entire enterprise -- from systems in your DMZ/public IP address allocations, to every last user workstation both local and remote. In addition to scanning for MS17-010 to prevent infection via the ETERNALBLUE exploit, It is also highly recommend to scan your network for the DOUBLEPULSAR backdoor, as it is believed that the worm can use pre-existing DOUBLEPULSAR backdoors to infect systems that have already been patched against ETERNALBLUE. As the linked post implies, there are a multitude of tools out there, free and open-source, that can be used to scan your network for MS17-010 and/or DOUBLEPULSAR.
- Keep your antivirus and/or endpoint security solutions and their definitions up to date. Several vendors are detecting this ransomware as “WannaCry”, “WannaCrypt”, “WannaCrypt0r”, “Wcry”, etc. Detection has improved significantly in a very short period of time, so make sure you are utilizing up to date antivirus definitions, and endpoint security.
- Snort and/or Cisco Firepower customers have IDS signatures available in the form of snort rules 42329-42332, 42340 and 41978, while Suricata users have signatures available from Proofpoint as well -- via sids 2024216 (DOUBLEPULSAR detection), 202417, 202418, 202420, 5000072-5000075 (ETERNABLUE detection), 2024291 (WannaCry DNS lookup to kill switch domain). It is highly recommend that you enable these rules for your Network Intrusion Detection platform of choice to enhance your visibility.
- If your organization happens to be infected with a variant of WannaCry that calls out to a kill switch domain, it is extremely important that you do not block access to these domains. As of this writing (May 15, 2017), and following the work of security researchers “malwaretechblog”, “sudosev”, and “benkow_”, there are four known kill switch domains:
Again, ensure that you do not block access to these domains, in the event a system in your network is compromised with a variant that attempts to call out to one of these domains.
- As always, ensure that you have a robust backup system in place with some form of offline backups, or backups on some sort of an access-controlled, segmented network that is not easily accessible over the network, in order to recover from a potential ransomware worm infection.
HURRICANE LABS RECOMMENDATIONS: LONG-TERM ACTIONS
- Previously, we wrote a three-part guide to preventing ransomware infections. Following the contents of these guides will not only help protect your users from ransomware, but also from malware in general. Check out the Ransomware ‘Quick Fix’ guides, Part 1, Part 2, and Part 3.
- There is also a Cisco TALOS blog post that deals with predicting the emergence of self-propagating ransomware dating back to 2016. While the entire blog post is an interesting read into ransomware itself, the chapter on defense providesfurther recommendations for maintaining a strong security posture.