Updates

23-May-2017 : According to Costin Raiu, WannaCry itself did not support Windows XP

Individual machines could be infected - researchers and testers who put WannaCry on Windows XP systems likely ran it manually - but the worm-like attack code would not spread from an XP PC

22-May-2017 : WannaCry: Ransomware attacks show strong links to Lazarus group

According to Symantec : https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

Note : IOCs added to https://www.botvrij.eu, get them through the OSINT feed in MISP.

OTX has another set of IOCs.

19-May-2017 : Updated Incident Response section - Decryption

Decryption possible for Windows XP to 7, including Windows 2003

19-May-2017 : WannaCry Exploit Now Being Used to Spread Spy Trojan

According to cyphort the vulnerability used by WannaCry (ETERNALBLUE) is now also used to spread a trojan.

17-May-2017 : Adylkuzz mining malware

Proofpoint published information on a cryptocurrency mining malware also making use of ETERNALBLUE/DOUBLEPULSAR. This malware predates (possible as early as 24-Apr) WannaCry.

16-May-2017 : OH LORDY! Comey Wanna Cry Edition

Shadow Brokers issued a statement. ETERNALBLUE was part of the exploit leading to WannaCry.

16-May-2017 : Jaff Ransomware is not WannaCry

Some researchers confuse the Jaff ransomware with WannaCry. Jaff is more a "traditional" style ransomware, explained in detail by Talos http://blog.talosintelligence.com/2017/05/jaff-ransomware.html. It's not the same as WannaCry.

16-May-2017 : Added Attribution section

16-May-2017 : Update mutex creation : TearSt0pper

15-May-2017 : Uiwix, WannaCry strain

Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used.

15-May-2017 : Another variant

Detected by VirusTotal b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06

15-May-2017 : Updated SMBv1 section

15-May-2017 : Updated anti-virus section

15-May-2017 : NMAP NSE script to detect vulnerable servers

14-May-2017 : Two new new variants

Two new variants were found. See https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

Kill switches

Do not rely on these kill switches as single line of defense. The behavior of the malware can easily be changed so that these kill switches are no longer relevant! Also, Wannacry is not proxy aware. If you are in a proxied environment they will not help unless you setup an RPZ.

Advice

Patch

The patch is out since March 2017. Your patch management process should apply patches rated as critical in a timely manner. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft also provided mitigation measures for unsupported systems.

Windows 10 and Windows Server 2016 are protected in their default configuration.

Why "Just Patch It!" Isn't as Easy as You Think

An article posted on the Trend Micro blog why Why "Just Patch It!" Isn't as Easy as You Think.

Disable SMBv1

Disable SMBv1. This is described in a Microsoft document : https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

For example on Windows 8 you can do this in PowerShell

Blocking legacy protocols is always recommended!

UPDATE According to WannaCry FAQ: What you need to know today : The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection ... disabling SMBv2 can cause problems

Filter tcp/139 (NetBIOS), tcp/445 (SMB) and tcp/3389 (RDP)

All systems exposed to the Internet should filter NetBIOS, SMB and RDP.

Do not assume that a corporate firewall is enough. Systems connecting through a VPN might be exposed to the Internet prior to starting the VPN. Also do not forget systems that are dual-homed. If one system is infected, introducing it later on the network is enough.

Internal network filtering

Use local host firewalling on all you systems. Not every system needs to have SMB and RDP available on the network!

Apply network segmentation.

If you run CIFS (a variant of SMB) you are also targeted.

So far for RDP it looks like it's used as an initial attack vector via brute-force (guessing weak credentials). Once access gained via RDP, Wannacry is deployed and can spread automatically.

Disconnect your backups and test your restore procedures

Do not forget that backup servers can be a target also. Make sure the backup retention period is enough.

Backups must be off-line (detached from network connectivity or system connectivity).

Use a dedicated backup solution that is not using SMB!

Do not block the kill switch domains

No you should not. When the malware is capable of reaching the kill-switch domain it will not further spread the malware. When you block this domain, it will continue spreading both internal and external and start encrypting your files.

Log network, system and service events so that you know what is going on

Centrally log the events of your servers and workstations so that you know what is going on. Combine this information with network events.

Use threat intelligence data / alerts on these events.

Setup internal WannaCry sinkhole website

The Wannacry ransomware is not proxy aware. This means that organizations that use a corporate proxy will not benefit from the kill switch. See https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/

The solution is to add the kill switch domains to an internal RPZ zone and redirect requests to an internal sinkhol. Note that the ransomware does expect an HTTP reply.

Scan and filter all mails with executable content

Note: no sample of the phishing e-mail that delivered the ransomware has been found (so far). Not sure about initial attack (maybe infected USB introduced on network?).

Disable macro scripts from Microsoft Office files transmitted via e-mail.

Good security practice.

Inform your employees

Repeat awareness campaigns!

Update your anti virus definitions

Update your anti virus definitions to prevent further infections. Anti virus definitions need time to include the new variants : do not rely on your anti virus / anti malware solution as the single line of defense.

UPDATE : It is important to note that anti-virus can potentially stop such attacks, even before researchers have seen a sample, ref. Modern Security Software not powerless against threats wannacry.

Create mutex that is used by WannaCry to prevent further inspection

A script has been developed by CCN that prevents the ransomware from starting to encrypt your files. It does this by creating the mutexes for which the ransomware checks. Note that the script needs to be run at every reboot. : https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND. Also see : https://twitter.com/EC3Europol/status/863492271911645184

Afterwards, yo can check for the presence of the mutex with : handle -a | findstr MsWinZonesCacheCounterMutex. The Handle command can be downloaded from Sysinternals : https://download.sysinternals.com/files/Handle.zip

Further info on the mutexes is available at https://blog.didierstevens.com/2017/05/14/quickpost-wannacrys-mutex-is-mswinzonescachecountermutexa0-digit-zero-at-the-end/ and here https://twitter.com/craiu/status/863720216714518528.

There is an alternative tool (not tested) that accomplishes the same : https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip

UPDATE Another tool to create the mutexes, TearSt0pper.

Subscribe to threat intelligence feeds / community work

Subscribe to a threat intelligence feed to get early indicators and detection. See MISP platform

NSE Script to detect ms17-010

An NSE script for NMAP to detect the MS17-010 was published http://seclists.org/nmap-dev/2017/q2/79

What is the WannaCry / Wcry / WannaCrypt ransomware?

Ransomware

A massive wave of ransomware that has all the characteristics of a worm. It utilises an exploit called ETERNALBLUE as well as leveraging a persistent backdoor known as DOUBLEPULSAR (both were part of the Shadow Brokers leak of NSA tools). ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol. Exploiting this vulnerability allows an attacker to execute code on the vulnerable host.

Microsoft patched this vulnerablity in March, via MS17-010. Microsoft also released a patch for systems that were no longer under support.

The malware is persistent, meaning it will survive a system reboot!

Infection methods

Although there are claims that the infection happened via phishing e-mail, no sample of such a mail has been analyzed.

Incident response

Unplug the infected machine from the network

Segment and isolate networks that have infected machines.

Limit SMB connections

Limiting SMB connections will hugely affect your users because they will not be able to access the file servers. There's no need for your workstations for not filtering incoming SMB connections. This will prevent further spreading.

Look for other signs of infection

Do not pay the ransom

Restore backups

Inform your local / national CERT

For Belgium : [email protected]

Recovery encrypted files

There may be a possibility to recover the encryption (and hence recover the encrypted files) on Windows XP, if it was not rebooted after infection.

  According to WannaCry- Decrypting files with WanaKiwi + Demos the decryption works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2.

In order to decrypt the files it is important that

Do not delete the encrypted files yet, it might be possible that a decryption key may become available at some point in the future. There are however no guarantees that this will be possible.

Attribution

Lazarus group

According to Kaspersky Lab there is strong evidence linking the WannaCry ransomware code to North Korea. There is a code overlap between Wannacry and a sample attributed to Lazarus in 2015. Note that the Lazarus group is believed to be responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation. ... "a theory a false flag although possible, is improbable."

Manually linking payments with encryption

Wannacry uses only four individual bitcoin addresses. There is no automatic identification between a payment and an encryption, meaning that the validation has to be a manual process. Most ransomware automates this process to provide a better "service" to their victims. Also see the article of Wired.

References

Misc

A live map can be found here : https://intel.malwaretech.com/WannaCrypt.html

Create a mutex (manually) ; PS :: $mtx = New-Object System.Threading.Mutex($false, "TestMutex")

Maintained by cudeso