Published on May 15, 2017
By Oleg Kolesnikov, Securonix Threat Research Team
By now, anyone in cybersecurity and many who are not, know that on Friday, May 12, 2017, a large-scale ransomware cyberattack involving the #WannaCry aka WannaCrypt aka WannaCrypt0r 2.0 aka Wanna Decryptor was launched, infecting over 230k systems in 150+ countries. The Securonix Threat Research Team has been actively investigating and closely monitoring this high-profile attack since it started last Friday. Because of the severity and urgency of the attack, we’re releasing this detailed and technical post describing what we know as of Monday afternoon.
To date, this is the worst-ever ransomware attack in cyber history. While the spread of the ransomware slowed down over the weekend, thanks to a “kill-switch” discovered late Friday, there is still a risk of variants emerging over the next several days.
Many of our customers have reached out for more information about the threat. Are they at risk? What they can do about it? Here are some key facts:
Ransomware: This is a kind of malicious software that infects the storage of computer systems, encrypting critical files or the entire hard drive, making it inaccessible. The victim is offered an opportunity to unlock their critical data by paying ransom to the attacker. The ransom request is usually in the form of untraceable funds, BitCoin is the favored mechanism for payment. The malware spreads quickly across networked systems and may also affect online/shared data which may cripple entire organizations.
WannaCry/WannaCrypt0r: This particular ransomware targets Windows systems with the EternalBlue vulnerability (MS17-010), and propagates across devices not patched to address this vulnerability. Incidentally Microsoft has released a patch that fixes this gap. The attack code is targeting unpatched Windows 7, Server 2008 and earlier systems, including Windows XP, 2003, and Vista (see https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ for more details)
Infiltration vector(s): The primary attack vector is the Microsoft SMB Remote Code Execution Vulnerability (CVE-2017-0145, MS17-010) aka EternalBlue (see http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145 for more details). The attack vector involves the SMB ports tcp/139 and tcp/445. The infiltration can occur both on the internal network (from local infected machines) and from the Internet (in case the ingress on the SMB ports is not filtered out by the firewall).
Patches: The patch for MS17-010 for supported Microsoft platforms is available since April, 2017 (see https://technet.microsoft.com/en-us/library/security/ms17-010.aspx); In addition, Microsoft released a KB4012598 patch for Microsoft platforms in custom support such as XP, 2003 (see https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).
Recovery: Based on the latest research, in some cases it may be possible to decrypt the files encrypted by WannaCry using the WanaKiwi decryptor. (Tested on WinXPx86, Win7x86, etc. See https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d and https://github.com/gentilkiwi/wanakiwi/releases for more details).
Observed Artifact Hash Values:
Behaviors - WannaCrypt0r Propagation
The attack leverages an exploit targeting the Microsoft SMB Remote Code Execution Vulnerability for remote code execution with SYSTEM privileges. No user action is required for a system to get infected. The exploit works over the tcp/139 and tcp/445 ports. Once a system gets infected, the system attempts to infect other systems both on a local network via locally connected interfaces and on the Internet by randomly generating target IP addresses and attempting to connect to the addresses.
The propagation is performed by connecting to internal/external targets using SMB Trans2 and attempting a transaction on FID 0, checking if the status returned is STATUS_INSUFF_SERVER_RESOURCES, and also checking for the "Multiplex ID" to be set to (0x51) to identify and reuse potential DOUBLEPULSAR backdoor infections to install a malicious payload. The result of the steps above is a significant increase in the volume of the SMBv1 activity from your internal hosts.
Behaviors - WannaCrypt0r “Kill switch” Domain
The current version of the WannaCrypt0r ransomware attempts to connect to the “kill switch” domain, http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, via HTTP. If the connection is successful, the execution of the current version of the ransomware is stopped. Note that the “kill switch” domain can be easily modified by attackers if/when the subsequent variants of the malicious threat appear, so the recommendation is not to rely on the “kill switch” functionality as a way to prevent the infection.
There are also reports of a decryption password hardcoded in the ransomware binary, namely “[email protected]”. This password is used to decrypt the ransomware components, not the data on the victim’s machine.
Behaviors – WannaCrypt0r Host Activity
Some of the commands ran by this ransomware on the target include commands needed to delete shadow copies of files:
Assessing Impact and Spread
As part of the threat analysis, it may be necessary to detect internal systems that are vulnerable to this attack. In order to find out if any of the Windows systems are vulnerable, you can run the MS17-010_SUBNET python script from https://github.com/topranks/MS17-010_SUBNET as follows:
$ ./smb_ms17_010.py 10.7.1.0/24
Detection – Securonix Threat Model Indicators
Here is a summary of some of the possible Securonix predictive indicators to increase the chances of early detection of this and potentially other future variants of the WannaCrypt0r threat on your network (see Figure 4):
#1. Suspicious Process/Service Activity Anomalies
Rare Process Compared to Past Behavior (Event Rarity, Process Hash, Process Name)
Rare Service Compared to Past Behavior (Event Rarity, Service Name)
Process Execution From Previously Unseen File Paths (Event Rarity, Process Name, Execution Path)
Malicious Process Execution (Threat Intel Policy)
#2. Suspicious Network Activity Anomalies
Unusual Number of SMBv1 Requests Anomaly (Peak Usage Behavior Anomaly)
Unusual Number of SMBv1 Destinations Anomaly (Tier 2 Policy to Track Destinations)
#3. Outbound Traffic Anomalies
Traffic to Rare Domains Anomaly (Event Rarity – Proxy Analyzer-based Domain Visit Score);
Traffic to DGA Domains Anomaly (Event Rarity – Proxy Analyzer-based DGA Score);
Traffic to Known Blacklisted Domains Anomaly (Threat Intel Policy)
You can also use the Securonix Spotter threat-hunting tool to proactively hunt for behaviors and artifacts associated with WannaCrypt0r and other potential ransomware activity in your environment. For instance, you should be able to leverage Spotter queries based on network communications activity, ETDR processes, hashes, and other known behaviors and artifacts related to the ransomware activity described in this article.
If you have any further questions regarding this high-profile threat and how Securonix can be leveraged to detect the behaviors associated with the threat, please contact the Securonix Threat Research Team at [email protected]
Mitigation and Prevention - Securonix Recommendations
Here are some of the Securonix recommendations to help customers prevent and/or mitigate the attack propagation:
#1. Patch all Windows devices! It is crucial for organizations to ensure that their systems are up to date. This greatly reduces the overall risk that a cyber attack like this will impact your organization. Patch all impacted Windows systems as soon as possible using the MS17-010 Microsoft Tuesday bulletin: https://technet.microsoft.com/library/security/MS17-010. Other applications should also be kept up to date.
#2. Backup critical data. Ransomware was the primary attack vector for organizations in 2016, and the trend is continuing this year as well. Even a simple backup strategy, like copying important files and documents to a secondary hard drive for individual laptops/desktops will dramatically speed up the recovery time. Application and shared-drive data must be under a stricter regimen with a well defined backup strategy.
#3. If SMBv1 is not required for BAU, reference these recommendations to disable on all internal systems as soon as possible: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
#4. Block tcp/139 and tcp/445 for ingress from the Internet, partners etc as soon as possible.
Consider enabling direct access to the “kill switch” domain over HTTP from all the internal systems (add a firewall rule override for non-transparent proxies to ensure all systems are able to connect to the domain via HTTP) but do not rely on this as a primary way to prevent the infection since the kill switch mechanism may be removed/changed in future variants of the malware.
#5. Consider restricting access to TOR exit nodes from your network, isolate all impacted legacy Windows systems e.g. Windows XP, Windows Server 2003, etc.
#6. Implement application whitelisting/strict implementation of Software Restriction Policies (SRP) to prevent binaries from being executed from %APPDATA%, %PROGRAMDATA% and %TEMP% Windows directories to address ransomware droppers executing from these locations. Enforce this policy on all of your endpoints.
#7. Educate your end users by informing them of the threat. Remind them of the basic cyber-security good practices, like treating unknown email attachments as suspicious, not allowing macros to run, not opening emails from unknown senders, not clicking on any links, etc.
As with online activity and cyber-security, always make sure to adopt and practice good cyber-hygiene when using the web, email, social and other computer systems and activities.