WannaCry Ransomware – What We Know, and What You Can Do

WannaCry Ransomware – What We Know, and What You Can Do

Unless you have been living in a cave with no WiFi, you have seen the massive ransomware outbreak that launched last Friday. The attack is still evolving, with new versions being released over the weekend.

Here’s a summary of what we know about the attack, and what you can do about it:

WannaCry v2.0 first observed by Lastline on May 11th 2017

Figure 1 – Screenshot of WannaCry Ransomware v2.0 first observed by Lastline on May 11th.

What Happened

As of Sunday afternoon Pacific time, the WannaCry Ransomware (also known as WannaCrypt, WannaCrypt0r and other naming variations) has struck approximately 150 countries and affected over 200,000 systems. The malware encrypts files on individual system and victims have 3 days to pay the ransom ($300 US) or the price doubles. After 7 days, the malware deletes the encrypted files.  The ransomware supports 28 different languages and encrypts 179 different type of files.

The Attack

The attack distributes a new version of a ransomware family that has been around since 2016 and was most recently seen by Lastline in late March 2017.

The method for spreading the ransomware is an old-school worm that spreads the ransomware automatically through a network, without any requirement for users to click on links or open attachments. (Worms are self-propagating threats that have not received much use as an attack tool in the last few years as the malware authors shifted to stealthier techniques to avoid detection).

The payload exploits a vulnerability in the Windows SMB service. This vulnerability in a commonly used communication protocol exists in almost every version of Windows produced in the last 15 years, making it an extremely effective threat vector.

For more information on the topic of Ransomware, the Lastline Labs recently posted some good background on the Lastline Labs Blog Part 1: Ransomware Delivery Mechanisms and Part 2: Too Overt to Hide.

Variations of the Ransomware

There are several versions of the malware in circulation currently. The effectiveness of the first version that hit on Friday was limited by one astute researcher who noticed that the malware was calling home to an unregistered domain, and he purchased that domain for $10.69 and saved the world (OK, that is a bit of hyperbole, but not by much). By purchasing the domain, he caused the malware to activate a “kill switch” embedded within the malware sample.  

Registering domain names malware is known to use a technique known as ‘sinkholing’ and is generally used to slow the spread of the malware. In this extreme case, the domain registration process caused an unanticipated outcome, as all malware samples which ran after the researcher’s domain registration propagated across the internet were stopped. There was one corner case that remained unprotected for the first wave of WannaCry samples, as organizations protected by explicit proxy technologies were not able to fulfill the DNS request because the malware was not designed to be ‘proxy aware’.

Unfortunately, as quickly as early Saturday, May 13th UTC, there were new versions of the WannaCry malware that have been discovered that no longer used the embedded software kill switch, meaning that the spread of this attack will likely continue.

Lastline Enterprise’s Deep Content Inspection & Classification of the Threat

We detected the ransomware across the entire detection spectrum: via Deep Content Inspection of malware samples; Domain/host reputation information from our Global Threat Intelligence Network, and network traffic analysis.

Below is a screenshot of the analysis report generated from one of the malware samples we received. You can see the ransomware classification and the identification of the attempt to propagate the malware via the Microsoft Server Message Block (SMB) protocol in the list of detected activities.

Figure 2 - Lastline Enterprise analysis of the WannCry ransomware small

Figure 2 – Lastline Enterprise analysis of the WannaCry ransomware

The Ransom

The use of BitCoin to pay the ransom enables us to see the transactions. As of Monday morning (UTC time), there have been approximately 170 payments totaling about $48,000 USD. These numbers will likely continue to increase as the work week begins and organizations decide to pay the ransom. You can see the actual transactions here:

https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Of course, actual damage caused by the ransomware will far outweigh the actual ransom payment figures.

One note about the ransom payment–There have been observations that this ransomware was designed in a manner which makes decryption extremely difficult for both the victim and the malware author, so the likelihood of getting files back appears to be quite low at present. There have been no public reports of the files being restored following the ransom payment.

What to Do About It

 

Patch

Make sure your systems are patched. Microsoft issued Security Bulletin MS17-010 – Critical Security Update for Microsoft Windows SMB Server (4013389) patch on March 14. Any unpatched systems are at risk.  

Microsoft went so far as to issue an emergency patch on May 12 (KB4012598) for additional versions of Windows, including XP (which has only been supported through expensive contracts for the last several years) and Windows 2003.

Remediate

If you cannot patch, take remediation measures to prevent vulnerable machines being exposed to the propagation of the ransomware. These include:

  • Disabling support for legacy SMBv1 protocol
  • Reviewing firewall policies at all internet, extranet and VPN connections
  • Determining whether SMB ingress/egress filtering can be applied at each network connection point, limiting inbound/outbound TCP 445, UDP 137-138 and TCP 139
  • Segmenting the network to isolate legacy systems and consider additional network segmentation strategies which can stop or slow propagation of network-borne worms (since this is likely not going to be the last time we see a threat like this)

 

Search

If you are a Lastline customer, you can search for WannaCry activity by file hashes, Bitcoin addresses, kill switch domain names, registry keys, ransom note file information and IP address.

The SHA1 hashes include:

  • 50049556b3406e07347411767d6d01a704b6fee6
  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
  • 87420a2791d18dad3f18be436045280a4cc16fc4
  • 8897c658c0373be54eeac23bbd4264687a141ae1
  • af7db69cbaa6ab3e4730af8763ae4bf7b7c0c9b2
  • c5e6c97e27331b6d38717e156ba89df1387d94f7
  • df815d6a5fbfc135d588bf8f7e9d71319aef2a8d
  • e889544aff85ffaf8b0d0da705105dee7c97fe26
  • eba84b75362fa0b1486e9458b6a2f2bdc25d19fb
  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10

Bitcoin addresses

  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The behaviors to search include:

Example figure 3 of network informational detector for the SMB scanning traffic

Figure 3

 

Figures 4: Example of network informational detector for the SMB scanning traffic

Figures 3 & 4: Examples of network informational detector for the SMB scanning traffic

Search for SMB scanning activity (as shown above in screenshot showing  the Lastline analysis of network activity)

Search for creation of a specially named mutex created by the ransomware to prevent re-infecting already-compromised machines:
MsWinZonesCacheCounterMutexA

Search for creation of the program displaying the ransom notice: @WanaDecryptor@.exe

Search for DNS resolutions of the known “kill switch” domains:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com
  • iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Search for communication with the following  IP addresses:

  • 144.217.254.3
  • 144.217.74.156
  • 184.168.221.43
  • 217.182.141.137
  • 217.182.172.139
  • 52.57.88.48
  • 54.153.0.145
  • 79.137.66.14

Keep in mind that these IPs are associated to sinkholes that may be used to track other threats, and therefore one of your systems communicating with these IPs address does not necessarily indicate a WannaCry infection.

Search for the creation of a registry key for WannaCry v2.0 at the following location:

  • HKLM\SOFTWARE\WANACRYPT0R

 

Educate

Remind your users of the importance of not opening docs from senders they don’t recognize, and to be very cautious when opening any email with an attachment, even if it’s from a known user.

Also, with this breakout there will likely be miscreants taking advantage of the confusion over versions and updates and sending out realistic-looking phishing emails claiming to be from the IT department or Microsoft Support to your users.

Deploy Security Controls

Utilize security controls like Lastline Enterprise across your network and remote locations that can identify malicious activity targeting your unpatched systems before you can deploy the updates. This includes products and services from our Technology Alliance Partners and Strategic Partners who utilize Lastline technology to detect behavior related to threats like WannaCry.

Patrick Bedwell

Patrick Bedwell

Patrick Bedwell has been creating and executing product marketing strategies for network security products for almost 20 years. He earned his BA from Cal Berkeley, and his MBA from Santa Clara University.
Patrick Bedwell