WannaCry: What we know so far…

An unprecedented cyber-attack by a ransomware variant known as WannaCry, which encrypts a computer’s files and then demands payment to unlock them, has propagated at a speed never before seen by cybersecurity researchers and is impacting targets worldwide. So far it has taken a major toll on operational services at targets including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US with European countries, including Russia, being among the worst hit.

With over 75,000 systems across 100+ counties having reported incidents of WannaCry infections, the attack spread at an alarming rate Friday but seems to have slowed, although by no means has it stopped.

The New York Times, based on data provided by MalwareTec, has compiled an animated map showing just how fast WannaCry has spread, and it’s certainly an eye opener to those who regard cybersecurity as nuisance problem rather than a potential enterprise level risk.

One of the first organizations that reported the attack was the National Health Service (NHS) in the UK where security teams are working around the clock to restore the systems of some 45 hospitals in England and Scotland that were affected.
The attack was incredibly dangerous to patient safety as it left some hospitals and Doctors unable to access patient data, and led to the cancellation of operations and medical appointments.

The Twitter account for NHS’s East Kent Hospitals sent a message to all staff indicating that the ransomware may have been attached to an email with “Clinical results” in the subject. If this report is true than it appears that hospitals were specifically begin targeted.

While it’s likely that the NHS received the majority of the early press on Friday due to the time of day the attack took hold (early morning in the UK), WannaCry spread fast to not only other organizations around the world but also to devices and systems other than standard employee workstations.
German rail operator Deutsche Bahn for example said that while no train services were disrupted as a result of the attack, its systems were infected including station display monitors.

A display at Chemnitz station in eastern Germany display a ransom demand on Friday night. Photograph: P. Goetzelt/AFP/Getty Images

How does WannaCry work and why is this attack unique?

While this ransomware variant is actually rather run-of-the-mill, how it is infecting systems and spreading so quickly is incredibly unique. Most ransomware relies on a user to click a malicious link or file attachment in a phishing email to infect their computer. While cybercriminals can spam out thousands or even millions of phishing emails a day, a successful infection still relies on an unwitting end user to become an unwilling accomplice and trigger the attack. While this is still an incredibly effective technique, it limits the overall ability for most ransomware to spread as each individual target user needs to fall for the trick. Not so with WannaCry.

It appears that once a single instance of WannaCry infects a PC behind the firewall it can move laterally within networks and self-propagate to other systems. Initial analysis by security researchers indicate it can do this by scanning and identify systems with ports 139 and 445 open and listening to inbound connections as well as scanning heavily over TCP port 445 (Server Message Block/SMB), which allows the malware to spread on its own similar to a worm. The worm then loops through every RDP session on a system to execute the ransomware as that user targeting admin accounts. It also installs the DOUBLEPULSAR backdoor and corrupts shadow volumes to make recovery even harder.

WannaCry is able to do this where the PC is open to listening and has not been updated with the critical MS-17-010 security patch from Microsoft which was issued on the 14th of March and addresses vulnerabilities in SMBv1 (Microsoft doesn’t mention SMBv2. Windows 10 machines were not subject to the vulnerability this patch addressed and are therefore not at risk of the malware propagating via this vector.

Additionally, Talos has observed WannaCry exploiting DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This backdoor documented the offensive exploitation framework that was released as part of the Shadow Brokers cache.

What happens to infected systems?

Once the ransomware infects a system, it starts encrypting everything it can find. The file taskche.exe searches for both internal and external drives mapped to a letter such as “c:/” or “d:/” so mapped network shares could also be affected. When it finds files of interest, it encrypts them using 2048-bit RSA encryption. How strong is that? Well… a DigiCert post calculated that it would take 1.5 million years with a current and standard desktop machine to crack it.

The user then receives a notification on their screen demanding $300 in Bitcoin to release files and restore the system or, if the ransom is not paid, the files will be rendered permanently inaccessible or out-and-out deleted. Some reports indicate that if the user doesn’t pay within six hours, the ransom amount will increase to $600 while other reports indicate that the user has 3 days to pay. This is incredibly insidious social engineering as it creates a sense of urgency for the user to just pay the ransom or else face a rising cost or losing everything. A sense of hope is also instilled by providing the ability to decrypt a small selection of files, attempting to demonstrate to the user that if they comply with the extortion and pay the ransom, they will receive access to the remainder of their files.

It should be noted… that the criminals behind the attacks are under no obligation whatsoever to provide decryption keys, so paying the ransom may not actually result in recovering access to the system and files. Of further note, paying a ransom not only marks the user as a potential target for future extortion attempts but it also helps fund the very criminals that perpetrated the crime to develop new and more sophisticated attacks.

Why the spread is slowing down: The kill switch

Talos noted early in the investigation of the attack that WannaCry was sending requests to the domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”

This is likely a human generated domain as the characters included largely consist of keys in the top row of the keyboard. These patterns are generally the result of someone “mashing” the keyboard and are easily recognizable by security researchers.

It appears that if WannaCry can communicate with this domain, it will stop execution and not infect the system. As this domain was not registered, each infection would attempt communication and fail to reach the domain and therefore continue to execute and infect the PC. Once the ransomware became able to communicate with that specific domain, it would stop, therefore the domain once registered would act as a “kill switch”. This is highly unusual and appears to have been hardcoded into the malware by the creator in case he or they wanted to stop the spread of the attack.

A wily security researcher, @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and activated the kill switch by simply registering the domain.

“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying. The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second.” Source: The Guardian.

While it seems almost anti-climactic, the kill switch appears to have worked and is slowing the spread of infections. That being said… we can likely expect that copycats are already working on variations of the attack and bad guys everywhere have learned a great deal from this incident as well, so we can expect new variants and modifications to the attack to be launching soon.

When the Conficker worm was running rampant back in 2008 creating a huge botnet, a security researcher similarly found that it was calling home to randomly generated domain names for Command and Control instructions. He was able to limit the Conficker botnot’s ability to execute any commands by registering all the domain names. Variant A and B of Conficker downloaded daily from any of 250 pseudorandom domains. While registering 250 domains a day was getting a little expensive and time consuming, it was still possible for defenders, collectively know as the Conficker Cabal, to keep ahead of the attacker. This strategy fell apart when the attacker released Variant C which downloaded daily from 500 of 50,000 pseudorandom domains. We can likely expect that future variants of WannaCry and copycats will employ a similar approach and ensure that discovering and activating a simple kill switch will not be effective ever again.

So what now?

WannaCry mitigation recommendations

  1. Ensure all pre-Windows 10 PCs are fully patched. Patch the Windows 10 ones just to be safe too!
  2. Ensure Microsoft bulletin MS17-010 has been applied.
  3. SMB publically accessible internet ports 139, 445 should be immediately blocked to prevent inbound traffic.
  4. Block all known TOR exit node IP addresses at the firewall. These are generally available from security intelligence feeds.
  5. If for some reason, you can’t patch a device (medical device or other closed architecture systems) make sure to disable SMBv1.

WannaCry prevention recommendations

  1. Ensure you are running the most up-to-date operating system on all your devices, not just PCs.
  2. Have a formal patch management system in place to ensure that all vendor patches are applied to all endpoints in a timely manner.
  3. Install some form of endpoint protection for anti-malware on all your systems and ensure you apply regular updates.
  4. Simply having updated firewalls and endpoint protection is no longer enough. This attack moved laterally behind the firewall so end-to-end complete network visibility and security tools that can detect, prevent and mitigate threats throughout your physical, virtual and cloud networks are now mandatory.
  5. Ensure you have both a business continuity and disaster recovery plan and that these plans are updated regularly and tested.
  6. Backup all things things!!! And ensure that you have offline backups as attackers frequently target backup systems as well to increase the odds that you will pay the ransom.
  7. Train your users! Employees should receive both security awareness training that will help them identify, protect themselves and report threats as well as traditional security training that lets employees know what is expected of them and how to comply to organizational security policies and procedures.

Related technical resources

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Leave a Reply