Over the weekend thousands of machines around the world became infected with a ransomware variant called WannaCry (or WannaCrypt, Wcry, etc.). News outlets and social media have been busy reporting on this outbreak, sometimes with inaccurate information. The purpose of this blog post is to regroup on many conflicting statements on the ransomware and to summarize coverage from our perspective at ProtectWise.
How Does WannaCry Infect a Host?
WannaCry's primary infection vector is through publicly accessible hosts running an unpatched version of Windows via the SMB protocol. The "worm" aspect to WannaCry infects these hosts and then scans the internal VLAN and public IP ranges. It does this in an attempt to find other vulnerable hosts to exploit before repeating the process. So the more victims there are, the higher the chance there is of WannaCry finding another host to infect and to continue spreading. Although the host that first kicked off the scanning has not yet been confirmed, speculation suggests that it may have started by users visiting an Exploit Kit landing page or clicking a link in a malicious email. While such tactics are common for ransomware, it has not been confirmed that WannaCry uses these methods to infect.
How Does WannaCry Spread?
WannaCry spreads primarily over SMB, but it can also use RDP. Once it infects a host, WannaCry scans the local network (VLAN IP Range) and public IP ranges. These scans are simply Syn requests via port 445 or 139 to identify hosts accepting the protocol. SMB, in particular, will then be used to send an exploit for the MS17-010 vulnerability.
As also confirmed by the sources below, ProtectWise observed a significant increase in hosts scanning the internet for SMB accessibility across our global customer sensor deployments. Most noticeable from the below screenshot, the scanning spiked on Friday when WannaCry began gaining traction, followed by a quick drop into the weekend.
The image below demonstrates how The ProtectWise Grid visualizes WannaCry’s attempts to spread, post-infection, using the SMB protocol.
What Networks are Vulnerable?
Any network with hosts running a version of the Windows operating system missing the MS17-010 patches is vulnerable to WannaCry's infection mechanism. The patches for Microsoft (currently supported) operating systems were released on March 14, 2017 following the Shadow Brokers leak.
While older OS’s like Windows XP and Windows Server 2003 are vulnerable, there were no patches being released since these products are End of Life. However, media attention and the widespread infection of WannaCry allowed Microsoft to release patches for unsupported operating systems as well.
What Can I Do to Prevent An Infection?
First, ensure your operating system is completely updated with patches. Blocking inbound SMB and RDP can also prevent an infected host from reaching vulnerable hosts inside your network. Blocking outbound SMB and RDP can also help prevent your infected hosts from adding to the chaos and continued spread.
The version of WannaCry with the worm feature contains a hard-coded domain (originally unregistered) as a possible simulated-network check. This variant performs a simple HTTP GET request for the domain, and if it receives a reply the host would not be encrypted by WannaCry.
Speculation suggests this was the malware attempting to check for fabricated network traffic commonly found in sandboxing solutions used by security researchers. A fellow researcher sinkholed the domain which helped prevent further hosts from initiating their encryption/infection.
If your network is blocking these domains, you may be aiding in your hosts becoming encrypted. Instead, the research community recommends leaving the domain unblocked so the reply can be received which stops the ransomware from encrypting the host. Newer ransomware similar to WannaCry has already been observed which do not contain this killswitch. Due to the attention around WannaCry, we expect to see other malware authors duplicating these tactics as well.
Who Created The Malware?
The creator of WannaCry has not been discovered, however, there are early reports that the malware has been tied to an advanced actor called Lazarus Group. This group has been previously linked to the DPRK/North Korea.
Detection Available with The ProtectWise Grid
Rules available in The ProtectWise Grid detect the SMB exploit, as shows in the image below. You can search for the rules using the Intel tab in user interface.
The various C2 destinations currently used by this ransomware family are all detectable in their appropriate IPrep, DNSrep, and URLrep categories. The requests are currently detected under the following rules.
NOTE: Monitor activity to these domains closely, as the health and agenda of the sinkhole owners are not always known. The list is expected to grow daily.
The high rate of outbound SMB attempts, post infection, will trigger the "Outbound SMB Scanning" heuristic observation. The screenshot below, from Killbox tab in The ProtectWise Grid, shows one second of outbound scanning to many global hosts. All PCAPs can be retrieved by pivoting into Explorer tab.