WannaCry Ransomware

There have been recent widespread reports concerning an emerging malware campaign known as WannaCry. So far, we’ve seen reported infections in 99 countries. Cyber-security firm Avast said it had seen 75,000 cases of the ransomware around the world. Kaspersky is reporting 45,000 attacks in 74 countries (with Russia most badly affected). Both of these are likely to be seeing just a portion of the overall attack.

The WannaCry ransomware can enter your network either via eMail of HTTP/HTTPS download links. Once in the network, it has the ability to spread horizontally over the LAN/DMZ by exploiting a SMB vulnerability (codenamed “EternalBlue”) made public as part of the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14th, 2017 (MS17-010).

The malware used in the attacks encrypts files, and adds .WCRY to the file extension of files encrypted. It also drops a decrypt tool, changes wallpaper, and displays a notice to pay bitcoins for the decryption key. Initial variants requested US$300, but recently this has been increased to US$600 in Bitcoin.

The file extensions that the malware is targeting contain certain clusters of formats including:

  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  • Less common and nation-specific office formats (.sxw, .odt, .hwp).
  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  • Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  • Virtual machine files (.vmx, .vmdk, .vdi).

Network Box has released several signatures to protect against this, as well as generic heuristic protection. Some of the threat names seen include:

  • Trojan-Ransom.Win32.Gen.djd
  • Trojan-Ransom.Win32.Zapchast.i
  • PDM:Trojan.Win32.Generic
  • Trojan.Win64.EquationDrug.gen
  • Trojan-Ransom.Win32.Wanna.a through Trojan-Ransom.Win32.Wanna.q

We continue to see new variants on an hourly basis and are issuing signatures using the Trojan-Ransom.Win32.Wanna.* prefix namespace. We’ve also released IDS, IPS, and INFECTEDLAN signatures to be able to detect, block and alert on infections within the network.

The malware uses the TOR network and the following domains:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • xxlvbrloxvriy2c5.onion

Based on the severity and impact of this attack, Network Box Security Response makes the following recommendations:

  1. Block access to the TOR network. Network Box 5 including policy control options for controlling the TOR network, and we recommend that those be deployed and enabled.
  2. Make sure that all hosts are running and have enabled endpoint security solutions.
  3. Ensure that the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack, is installed on all your systems.
  4. Isolate incoming laptops and ensure that they (a) have been patched with MS17-010, (b) have endpoint security solutions installed, enabled, and running, and (c) conduct a manual scan to ensure they are clean – before connection to your network.

So far, it seems that the multi-engine, multi-level, approach that Network Box uses is keeping this at bay for our customers. However, we’ve seen a large increase in both heuristic and WannaCry-specific blocks in recent hours and Network Box Security Response is keeping a close eye on the situation.

Network Box Security Response