Inquiry Form!

Please use below form for placing any inquiry.

Blog

Insights of WannaCry ransomware

Insights of WannaCry ransomware

The recent WannaCry exploit (WannaCrypt/WannaCrypt0r and variants) is ransomware that was leaked by the Shadow Brokers hacker group who published several hacking tools used by the National Security Agency (NSA).

Like other ransomware, WannaCry is designed to infect Windows machines, encrypt all important and personal files, propagate to other systems and ask the user to pay a huge amount of money to (hypothetically) recover the encrypted files. WannaCry uses multiple components to infect (using kernel escalation through the DoublePulsar exploit) and encrypt personal files (using 2048-bit RSA) and self-propagate (SMB spreading through EternalBlue exploit).

Multiple variants have been discovered, fortunately the spread of the first kill switch variant has been stopped, the second version without a kill switch is propagating but the ransomware payload fails to properly deploy (the decompression is not working but the spreading is because EternalBlue and DoublePulsar are still working), upcoming versions will definitely properly deploy without a kill switch.

How and Why WannaCry Propagated So Quickly

First of all, the propagation mechanism is not new. The main vector are the infected emails with embedded JS macro document or phishing and social engineering tactics. After a victim’s computer is compromised, the ransomware tries to self-propagate through its own network scanner to find additional SMBv1 machines and uses EternalBlue exploit to infect the rest of the world.

This vulnerability could allow a remote code execution if an attacker sends messages to a SMBv1 device. WannaCry is using this vector to self-deploy and propagate. Microsoft sent a patch under advisory MS17-010 in March 2017 to solve the vulnerabilities in Windows systems, but unfortunately a huge number of outdated and unpatched Windows devices are still up and running.

Monitoring & Remediation

Your network and security teams can join forces to remediate security attacks. This list has been designed to help your organization to stay alert and to reduce the scope of any WannaCry propagation.

As described, WannaCry relies on multiple vectors to propagate and infect systems. Fewer SMB open doors result in fewer chances for the ransomware to self-propagate.

Alerting / Detection

The first version of WannaCry has a kill switch. It is important not to block this domain as it is a good trigger to detect devices infected with this version. We can be alerted if the kill switch domain or any variant has been reached from the network. Capturing DNS and proxy servers is a good practice. EternalBlue spreads the ransomware through SMBv1 and tries to detect other SMBv1 enabled Servers. This can generate a huge number of ARP and TCP Syn packets. Being able to know what is the normal level of such protocols on the network is useful as an abnormal peak will trigger an alarm and identify which devices are generating unusual ARP / TCP Syn traffic.

Remediation

It is urgent to detect which devices on the network are still using SMBv1. In addition to scanning the network using tools like NMAP, this can be done by creating a real-time alarm (SMBv1 is using a unique pattern in the header). Urgent action is needed to switch off the SMBv1 stack in Windows machines.

An application-aware NPMD solution is a huge advantage to discovering the application code messages. Alerting and trending on application messages gives a very good hint where to first look to discover compromised devices. WannaCry will trigger a huge number of SMB CREATE, DELETE & RENAME operations.

The EternalBlue exploit would generate some weird commands to SMB devices that could be detected as well during the propagation phase. Having a smart solution with an expert analytics engine would help to quickly identify issues.