WannaCry: A Massive Ransomware Outbreak

WannaCry: What do you need to know?



Following the release of NSA hacking dumps by Shadow Brokers, blackhat hacker groups used 2017’s most famous Microsoft Windows exploit created by NSA's “ETERNALBLUE” which takes advantage of a vulnerability in Windows SMB protocol. The hacker group behind WannaCry ransomware launched the largest cyber attack in years infecting more than 200,000 computers across the globe. The attack soon invaded the news creating a wave of cyber panic across Microsoft Windows users.

Note: If you want to skip the details and jump directly to the steps needed to block the attack then go to "Preventive Measures" section.


Surface of Infection

The ransomware is known to be using NSA’s SMB vulnerability in Microsoft Windows operating system which was patched on March 14, 2017 - two months before WannaCry attack and one month before the release of ETERNALBLUE. The attack vector was initiated mainly through massive spear phishing campaigns to trick the user to open a malicious URL or attached document that executes a dropper that download the ransomware.

In order to protect your organization or systems from infection through this attack surface, you must have a strong and properly configured email filtering gateway with URL and attachment inspection. These features will help identify malicious emails used in the attack campaign and reduce your risk of infection.

Data Consult works with Cisco to provide clients with the needed security solution to defend against malicious and potentially harmful emails using Cisco’s Ironport Email Security Appliance (ESA) that provides a feature set consisting of Anti-Spam, Content filtering, URL filtering, Advanced Malware Protection(AMP), and Cloud Security Intelligence.


Indications of Compromise

File Extensions and Executables

WannaCry ransomware is reported to encrypt files with certain files extensions mentioned below then appends the file extension to .wcry in its name.

WannaCry encrypts the below extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Below are some of the sample file variants and extension variants that appear on the infected systems and hosts:
  • *.wcry
  • *.wncry
  • *.wncrypt*
  • *@Please_Read_Me@.txt*
  • @WanaDecryptor@.exe
  • tasksche.exe
  • taskdl.exe
  • taskse.exe
  • lhdfrgui.exe
  • LODCTR.EXE
  • cliconfg.exe
  • C:\Users\*\AppDataLocal\Temp\taskdl.exe
  • *Global\MsWinZonesCacheCounterMutexA*
  • 300921484251324.bat
  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Data Consult provides its customers with solutions that have advanced malware detection, sandboxing and analysis to detect malicious behavior of WannaCry mentioned above using products from Cisco Endpoint AMP, Palo Alto Networks Traps, Avecto Privilege Management, to ESET Endpoint Security.

Domains

WannaCry domains:
  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
WannaCry Tor domains:
  • gx7ekbenv2riucmf[.]onion
  • 57g7spgrzlojinas[.]onion
  • Xxlvbrloxvriy2c5[.]onion
  • 76jdd2ir2embyv47[.]onion
  • cwwnhwhlz52maqm7[.]onion
  • sqjolphimrr7jqw6[.]onion
WannaCry IPs
  • 188[.]166[.]23[.]127:443 - Tor Exit Node
  • 193[.]23[.]244[.]244:443 - Tor Exit Node
  • 2[.]3[.]69[.]209:9001 - Tor Exit Node
  • 146[.]0[.]32[.]144:9001 - Tor Exit Node
  • 50[.]7[.]161[.]218:9001 - Tor Exit Node
  • 128.31.0[.]39 - Tor Exit Node
  • 213.61.66[.]116 - Tor Exit Node
  • 212.47.232[.]237 - Tor Exit Node
  • 81.30.158[.]223 - Tor Exit Node
  • 79.172.193[.]32 - Tor Exit Node
Data Consult advises its clients to use an industry leading Proxy device to protect its systems and users from accessing malicious URLs and domains such as ProxySG provided by BlueCoat.

Preventive Measures

A Kill-Switch to stop the worm from spreading

Kill-Switch is a technical term to name a mechanism that stops or ceases a functionality or behavior. The first two - and most spread - variants of WannaCry had simple Kill-Switches that would stop the attack process and stop the SMB worm that the ransomware deploys from spreading into other systems. You can protect your systems from most of the attack variants by configuring a DNS Sinkhole on the domains of WannaCry on your DNS Server/Provider, Proxy or URL filtering device.
Note: Do not deny the below domains as some WannaCry variants will continue the process of spreading in the network if the DNS queries did not return a response, regardless if the response was valid or not. 

Sinkhole the below two domains to stop WannaCry worm from furtherly spreading inside your network:
  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Data Consult provides its customer with state of the art solutions to configure DNS Sinkholing and detect infected hosts and systems inside the enterprise network. Both Cisco Umbrella for DNS protection and Palo Alto Networks Anti-Spyware provide this feature with comprehensive reporting on infected systems.

Disable SMBv1

Additionally, you can manually disable the vulnerability in the SMB protocol by following few and simple steps as described below:
  1. Open Control Panel
  2. Navigate to Programs and Features
  3. Select Turn Windows features on or off from the left pane
  4. Disable SMB 1.0 / CIFS File Sharing Support


Data Consult works with various vendors to provide the clients with comprehensive solutions and advise them to use the most effective products to protect their organization from such attacks.
Using a Next Generation Firewalls that include Intrusion Prevention System (IPS), Application Whitelisting, URL filtering, AMP  provided by Cisco and Palo Alto Networks can stop the infection at the early stages, by ceasing the communication to the malicious domains and URLs, as well as inspecting traffic for the SMB exploit.

Recommendation

  1. Apply Microsoft Security update MS17-010 on all your systems
  2. Apply Cisco IPS Signatures Rule ID: 42329-42332, 42340, 41978
  3. Apply Palo Alto Networks Rule ID: 38353, 38590, 38591, 39002, 39003
  4. Make sure you have regular backups available of all business critical systems and data
  5. Disable SMBv1 and block all versions of SMB at the network perimeter by blocking TCP port 139 and TCP 445 on all edge devices
  6. Perform a Vulnerability Assessment or Penetration Testing to indicate your attack surface and affected systems and components
  7. Restrict downloads of Microsoft Word macro files and disable them
  8. Restrict the download of malicious files and  executables
  9. Make sure your AV system is up-to-date
  10. Only use administrator privilege/accounts when needed
  11. In case of infection, always isolate the targets
  12. Avoid opening Microsoft office files from untrusted sources
Latest
Previous
Next Post »