For those of us in the IT Security profession, Friday May 12 was Black Friday. Networks in healthcare and critical infrastructure across at least 99 countries have been infected by the WannaCry ransomware worm, aka WanaCrypt, WannaCrypt or Wcry. The bulk of infections were reported in Russia, Taiwan and Spain.
First observed targeting UK hospitals and Spanish banks, big companies like Telefónica, Vodafone and FedEx had some of their systems infected with the threat that also hit rail stations and universities. The Spanish CERT issued an alert warning the organizations and confirming that the malware was rapidly spreading.
Is it over? Will it happen again?
A sample of malware was reverse engineered and found to contain a “kill switch“. The malware tries to resolve a particular domain name and if it exists, it self destructs. This domain has been registered and so, if you are infected and this particular strain is able to successfully resolve that domain name using your internet connection and DNS settings, then it will apparently terminate itself. Obviously hope is not a strategy and assuming that we don’t have to do anything now is a big mistake. It is inevitable that a new strain which won’t have any such kill switch will emerge. Accordingly, it is imperative to strengthen defenses.
How it spreads
Initial infection is possibly via phishing email. CERT also reported that the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise. Once the infection has taken root, it spreads across the network looking for new victims using the Server Message Block (SMB) protocol. The ransomware uses the Microsoft vulnerability MS17-10. This vulnerability was used by ETERNALBLUE, an exploit that was developed by the NSA and released to the public by the Shadow Brokers, a hacker group on April 14, 2017. Microsoft released a patch for this vulnerability on March 14, one month before the release of the exploit.
What it does
Once the infection is on the machine, it encrypts files and shows a ransom note asking for $300 or $600 worth of bitcoin.
As described by CERT, the WannaCry ransomware is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.
The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.
This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.
What steps has EventTracker SIEMphonic taken?
- Closely monitoring announcements and details provided by industry experts including US CERT, SANS, Microsoft, etc.
- Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at firstname.lastname@example.org and we will perform a scan at your convenience.
- Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of WannaCry C&C servers and domain names used by the malware
- Added an alert if we see any logs containing the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which is used by WannaCry
- Watching Change Audit snapshots in your network for changes to registry (RunOnce) and for files with extension .wncry
- Updated ETIDS with snort signatures as described by the SANS Internet Storm Center
- Performing log searches using known IOCs
Recommended steps for prevention
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
- Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out of ordinary behavior.
- Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
- Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.