Securonix Threat Research: What We Know About the WannaCry Ransomware Attack and What You Should Do To Protect Yourself

By Oleg Kolesnikov, Securonix Threat Research Team

By now, anyone in cybersecurity and many who are not, know that on Friday, May 12, 2017, a large-scale ransomware cyberattack involving the #WannaCry aka WannaCrypt aka WannaCrypt0r 2.0 aka Wanna Decryptor was launched, infecting over 230k systems in 150+ countries. The Securonix Threat Research Team has been actively investigating and closely monitoring this high-profile attack since it started last Friday. Because of the severity and urgency of the attack, we’re releasing this detailed and technical post describing what we know as of Monday afternoon.

To date, this is the worst-ever ransomware attack in cyber history. While the spread of the ransomware slowed down over the weekend, thanks to a “kill-switch” discovered late Friday, there is still a risk of variants emerging over the next several days.

Many of our customers have reached out for more information about the threat. Are they at risk? What they can do about it? Here are some key facts:

Ransomware: This is a kind of malicious software that infects the storage of computer systems, encrypting critical files or the entire hard drive, making it inaccessible. The victim is offered an opportunity to unlock their critical data by paying ransom to the attacker. The ransom request is usually in the form of untraceable funds, BitCoin is the favored mechanism for payment. The malware spreads quickly across networked systems and may also affect online/shared data which may cripple entire organizations.

WannaCry/WannaCrypt0r: This particular ransomware targets Windows systems with the EternalBlue vulnerability (MS17-010), and propagates across devices not patched to address this vulnerability. Incidentally Microsoft has released a patch that fixes this gap. The attack code is targeting unpatched Windows 7, Server 2008 and earlier systems, including Windows XP, 2003, and Vista (see https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ for more details)

Infiltration vector(s): The primary attack vector is the Microsoft SMB Remote Code Execution Vulnerability (CVE-2017-0145, MS17-010) aka EternalBlue (see http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145 for more details). The attack vector involves the SMB ports tcp/139 and tcp/445. The infiltration can occur both on the internal network (from local infected machines) and from the Internet (in case the ingress on the SMB ports is not filtered out by the firewall).

Patches: The patch for MS17-010 for supported Microsoft platforms is available since April, 2017 (see https://technet.microsoft.com/en-us/library/security/ms17-010.aspx); In addition, Microsoft released a KB4012598 patch for Microsoft platforms in custom support such as XP, 2003 (see https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).

Recovery: Based on the latest research, in some cases it may be possible to decrypt the files encrypted by WannaCry using the WanaKiwi decryptor. (Tested on WinXPx86, Win7x86, etc. See https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d and https://github.com/gentilkiwi/wanakiwi/releases for more details).

Observed Artifact Hash Values:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

Behaviors – WannaCrypt0r Propagation

The attack leverages an exploit targeting the Microsoft SMB Remote Code Execution Vulnerability for remote code execution with SYSTEM privileges. No user action is required for a system to get infected. The exploit works over the tcp/139 and tcp/445 ports. Once a system gets infected, the system attempts to infect other systems both on a local network via locally connected interfaces and on the Internet by randomly generating target IP addresses and attempting to connect to the addresses.

The propagation is performed by connecting to internal/external targets using SMB Trans2 and attempting a transaction on FID 0, checking if the status returned is STATUS_INSUFF_SERVER_RESOURCES, and also checking for the “Multiplex ID” to be set to (0x51) to identify and reuse potential DOUBLEPULSAR backdoor infections to install a malicious payload. The result of the steps above is a significant increase in the volume of the SMBv1 activity from your internal hosts.

Behaviors – WannaCrypt0r “Kill switch” Domain

The current version of the WannaCrypt0r ransomware attempts to connect to the “kill switch” domain, http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, via HTTP. If the connection is successful, the execution of the current version of the ransomware is stopped. Note that the “kill switch” domain can be easily modified by attackers if/when the subsequent variants of the malicious threat appear, so the recommendation is not to rely on the “kill switch” functionality as a way to prevent the infection.

There are also reports of a decryption password hardcoded in the ransomware binary, namely “[email protected]”. This password is used to decrypt the ransomware components, not the data on the victim’s machine.

Behaviors – WannaCrypt0r Host Activity

Some of the commands ran by this ransomware on the target include commands needed to delete shadow copies of files:

Assessing Impact and Spread

As part of the threat analysis, it may be necessary to detect internal systems that are vulnerable to this attack. In order to find out if any of the Windows systems are vulnerable, you can run the MS17-010_SUBNET python script from https://github.com/topranks/MS17-010_SUBNET as follows:
$ ./smb_ms17_010.py 10.7.1.0/24

Detection – Securonix Threat Model Indicators

Here is a summary of some of the possible Securonix predictive indicators to increase the chances of early detection of this and potentially other future variants of the WannaCrypt0r threat on your network (see Figure 4):

#1. Suspicious Process/Service Activity Anomalies
Rare Process Compared to Past Behavior (Event Rarity, Process Hash, Process Name)
Rare Service Compared to Past Behavior (Event Rarity, Service Name)
Process Execution From Previously Unseen File Paths (Event Rarity, Process Name, Execution Path)
Malicious Process Execution (Threat Intel Policy)

#2. Suspicious Network Activity Anomalies
Unusual Number of SMBv1 Requests Anomaly (Peak Usage Behavior Anomaly)
Unusual Number of SMBv1 Destinations Anomaly (Tier 2 Policy to Track Destinations)

#3. Outbound Traffic Anomalies
Traffic to Rare Domains Anomaly (Event Rarity – Proxy Analyzer-based Domain Visit Score);
Traffic to DGA Domains Anomaly (Event Rarity – Proxy Analyzer-based DGA Score);
Traffic to Known Blacklisted Domains Anomaly (Threat Intel Policy)

You can also use the Securonix Spotter threat-hunting tool to proactively hunt for behaviors and artifacts associated with WannaCrypt0r and other potential ransomware activity in your environment. For instance, you should be able to leverage Spotter queries based on network communications activity, ETDR processes, hashes, and other known behaviors and artifacts related to the ransomware activity described in this article.

If you have any further questions regarding this high-profile threat and how Securonix can be leveraged to detect the behaviors associated with the threat, please contact the Securonix Threat Research Team at [email protected]

Mitigation and Prevention – Securonix Recommendations

Here are some of the Securonix recommendations to help customers prevent and/or mitigate the attack propagation:

#1. Patch all Windows devices! It is crucial for organizations to ensure that their systems are up to date. This greatly reduces the overall risk that a cyber attack like this will impact your organization. Patch all impacted Windows systems as soon as possible using the MS17-010 Microsoft Tuesday bulletin: https://technet.microsoft.com/library/security/MS17-010. Other applications should also be kept up to date.

#2. Backup critical data. Ransomware was the primary attack vector for organizations in 2016, and the trend is continuing this year as well. Even a simple backup strategy, like copying important files and documents to a secondary hard drive for individual laptops/desktops will dramatically speed up the recovery time. Application and shared-drive data must be under a stricter regimen with a well defined backup strategy.

#3. If SMBv1 is not required for BAU, reference these recommendations to disable on all internal systems as soon as possible: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

#4. Block tcp/139 and tcp/445 for ingress from the Internet, partners etc as soon as possible.
Consider enabling direct access to the “kill switch” domain over HTTP from all the internal systems (add a firewall rule override for non-transparent proxies to ensure all systems are able to connect to the domain via HTTP) but do not rely on this as a primary way to prevent the infection since the kill switch mechanism may be removed/changed in future variants of the malware.

#5. Consider restricting access to TOR exit nodes from your network, isolate all impacted legacy Windows systems e.g. Windows XP, Windows Server 2003, etc.

#6. Implement application whitelisting/strict implementation of Software Restriction Policies (SRP) to prevent binaries from being executed from %APPDATA%, %PROGRAMDATA% and %TEMP% Windows directories to address ransomware droppers executing from these locations. Enforce this policy on all of your endpoints.

#7. Educate your end users by informing them of the threat. Remind them of the basic cyber-security good practices, like treating unknown email attachments as suspicious, not allowing macros to run, not opening emails from unknown senders, not clicking on any links, etc.

As with online activity and cyber-security, always make sure to adopt and practice good cyber-hygiene when using the web, email, social and other computer systems and activities.