WannaCry ransomware-worm targets unpatched systems

Updated Tuesday 16 May 2017.

Analysis

Recent campaigns have tended to be in the form of trojans: pieces of malware that typically arrive on a machine via social engineering tactics and then conduct their malicious behaviour (be that data exfiltration, file encryption, or something else) locally on that machine. The malware used in this outbreak - named variously WannaCry, WCry, and WannaCrypt0r 2.0 - was ultimately of a different family: a worm. Worms have the ability to self-propagate once they are inside an organisation, spreading from machine to machine using unpatched vulnerabilities in the Windows operating system. In this case the malware used the EternalBlue vulnerability for which Microsoft made a patch available through MS17-010 in March 2017.

The initial entry to an organisation in this case appears to have been through a low-volume email campaign linking to a compromised website. If the email makes it through to an end user and they click on the link it starts a chain of events that leads to the download of the WannaCry ransomware worm. The malware then sets about finding vulnerable computers on the network, copying itself to these machines, encrypting their files, and demanding a $300 ransom.

The malware also changes the background on the affected machine:

The actors behind the malware appear to be using multiple Bitcoin wallets to receive payments. At the time of writing, the wallet referred to in the image above had received a total of 23 transactions totaling 4.266 Bitcoins (approximately $7,400 USD) [1], but this is likely only a small fraction of the revenue generated by this campaign.

Conclusions

Forcepoint users were protected from the initial email by our email, web security, and NGFW security products, but the nature of this attack is that one email missed or accidentally released from quarantine can leave an organisation vulnerable to having its systems encrypted. As we observed in our blog post on the Jaff ransomware earlier this week, taking a defence-in-depth approach to security ensures that an attack can potentially be stopped in several points along the kill chain.

As with any email-based campaign user education is a critical component of limiting these attacks: if self-propagating ransomware becomes the new paradigm the risks posed to organisations by a user - however unintentionally - following a malicious link or opening a malicious file are multiplied greatly. Beyond this, the MS17-010 vulnerability exploited by this malware has been patched for nearly two months. This goes some way to explain the significant variation in impact seen within different organisations and highlights the need for a robust and timely patching process.

As of 13 May 2017, it has been confirmed that the malware will not spread if it can contact a hard-coded 'kill-switch' domain: hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

As always, Forcepoint Security Labs will continue to investigate and monitor this new threat.

Update: Sunday 14 May 2017

As expected, a new variant of WannaCry has been released without the kill-switch feature. The Forcepoint product suite continues to provide protection against this new variant.

Update: Monday 15 May 2017

In addition to the version identified with no kill-switch feature, an additional version with an alternate kill-switch has been positively identified: hxxp://www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

While the most obvious Indicators of Compromise (IOCs) for this campaign are the changed desktop background and ransom message shown above, a number of other behavioural artefacts have been documented which, in the absence of the ransom message, may be indicative of a partial or failed attack. These are listed below:

Kill-Switch URLs

Note Requests for these domains have, to date, only been recorded as shown above: i.e. an HTTP (not HTTPS) request for the www domain only, with no appended path.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
hxxp://www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Tor Hidden Service (Onion Site) Command & Control Servers

Note Connections to Tor nodes alone should not be treated as an IOC for WannaCry. These connections are relevant only when combined with other IOCs.

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

Requests to Tor Hidden Services must be made via the Tor network - the malware itself installs a Tor client to this end. As a result of this behaviour, organisations may see one or more Tor nodes being contacted by infected machines. Connections to Tor typically occur across port 9001/TCP, but many other ports (including 443/TCP) are also in use. The list of Tor nodes changes frequently, but several websites including https://torstatus.blutmagie.de/ and https://www.dan.me.uk/tornodes provide extensive lists of nodes against which observed IP addresses can be checked.

Update: Tuesday 16 May 2017

Forcepoint Security Labs have now published an in-depth analysis of the EternalBlue propagation method used by the WannaCry campaign. This can be found here: /security-labs/wannacry-post-outbreak-analysis

Update: Thursday 18 May 2017

After extensive analysis of the email campaigns initially considered to have potential links with the WannaCry campaign launched on Friday 12 May 2017, Forcepoint Security Labs have found no evidence to date of an initial lure.
 
There is strong evidence to suggest that the rapid spread of the malware after the initial outbreak was identified was solely a result of the self-propagation capability which so characterizes this campaign (see /security-labs/wannacry-post-outbreak-analysis for further analysis of this capability).
 
These findings do not necessarily preclude the existence of a very low volume email campaign containing either a malicious attachment or download URL in order to infect ‘Patient Zero’ with the WannaCry malware. However, the possibility must be considered that such a campaign either: (a) does not exist, forcing the conclusion that initial infection was by the same means as the subsequent propagation; or (b) exists, but is unlikely to ever be identified for this outbreak.
 
Forcepoint Security Labs will continue to monitor email telemetry for indicators of WannaCry distribution, both for this campaign and any possible future campaigns.
 

Recommendations

• Ensure that the MS17-010 security update is installed on all Windows machines within the organisation.
• Ensure that you have email and web security that can block malicious emails, block intermediate download stages with Real Time Security Signatures (RTSS), and provide URL wrapping for additional protection.
• In line with Microsoft's guidance from 2016 [2], customers should consider disabling SMBv1 and other legacy protocols on all Windows systems [3] where this will not negatively impact the function of legacy systems within the environment. If you are a Forcepoint customer please consult the following Knowledge Base Article to identify what course of action may be suitable for your product: https://support.forcepoint.com/KBArticle?id=000012832

For the time being, it may additionally be desirable to ensure that the 'kill-switch' domains are not blocked within your organisation in order to stop propagation of the malware. However, as with any whitelist entry, this should only be employed for long enough to ensure that other, more permanent protections are in place.

For additional general guidance on ransomware, please visit https://www.forcepoint.com/ransomware.

Forcepoint customers can find product-specific guidance on ensuring their protection in the following Knowledge Base articles:

• Web https://support.forcepoint.com/KBArticle?id=Protecting-your-organization-against-WannaCryptor-ransomware
• Email https://support.forcepoint.com/KBArticle?id=Protecting-email-from-WannaCry-worm
• NGFW https://support.forcepoint.com/KBArticle?id=Blocking-Wannacry-in-Forcepoint-NGFW

References

[1] https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

[2] https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

[3] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012