WannaCrypt Ransomware

Introduction

What is Ransomware?

Ransomware is a type of malicious software (malware) which attempts to extort money from victims, typically by displaying an alert stating that the computer has been locked and that all files have been encrypted.  A ransom is demanded to restore access.

WannaCrypt Ransomware

As defences against Ransomware and Malware evolve, so too do the threats. One of the latest versions of Ransomware to come to the fore on the 12th of May 2017 is the WannaCrypt (also known by the names WannaCry, WanaCrypt0r or Wcrypt) variant.

Each new variant that emerges comes with its new challenges and new stealth techniques, helping these strands to go undetected by traditional defensive platforms and spread at increasingly rapid rates. Since the initial infection, huge numbers of Windows hosts across 99 countries have been infected, across many different industry sectors, including health services and telecoms.

Once infected, the ransomware is demanding $300 payment in Bitcoin per device in order to decrypt the files that have been encrypted.

Technical details

Initial Infection Vector

WannaCrypt RansomwareIt is currently unknown at the time of writing (14 May 2017, 20:00 GMT) how the initial infection of an organization occurs with this strain of Ransomware. It is however, assumed to be likely spread in the same way as traditional malware, such as malicious websites, phishing emails or already infected hosts being brought onto an organization’s internal network.

One confirmed means of infection however, is via SMB services exposed to the internet, which is the same mechanism that the worm element of the Ransomware uses to spread on internal networks.

Internal Spread Vector

It is known that the ransomware contains a worm which facilitates the spread of the ransomware via the SMB service (445/tcp) on Windows hosts.

The ransomware is utilising an exploit for SMB called ETERNALBLUE, for which Microsoft has released a patch, MS17-010. The exploit works against all unpatched versions of Windows, except Windows 10 and Server 2016.

Once the ransomware has entered a network, it will spread quickly amongst hosts, as the SMB protocol is utilised heavily on internal networks for remote host management and file and printer sharing and is therefore very rarely filtered on internal networks.

Command and Control

Initial analysis performed by the information security community indicates that the ransomware communicates via the TOR protocol, first downloading Tor from the internet before communicating to the command and control servers.

Currently there are five known C&C domains:

  • cwwnhwhlz52ma.onion 
  • gx7ekbenv2riucmf.onion
  • xxlvbrloxvriy2c5.onion
  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion

Killswitch Domain

An anonymous UK based security researcher identified a killswitch domain within the ransomware, which, when live, would be contacted by the ransomware at the initial execution. If the ransomware finds a live domain there, it halts the encryption or spreading capability of the ransomware. The researcher identified that the domain was not registered, and thus registered it to halt the spread.

It would appear that the attackers neglected to register the domain name, which would appear to be an oversight on their part.

The killswitch domain is:

This domain SHOULD NOT be blocked on external firewall devices or web filters, its reachability is paramount for halting the spread and infection.

Encryption Activity

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .xls)
  2. Less common and nation specific office formats (.sxw, .odt, .hwp)
  3. Archives and media files (.zip, .rar, .tar, .mp4)
  4. Emails and email databases (.emi, .msg, .ost, .pst)
  5. Database files (.sql, .ndb, .accdb, .odb)
  6. Developer source code (.php, .java, .cpp)
  7. Encryption keys and certs (.key, .pfx)
  8. Virtual machines (.vmx, .vmdk, .vdi)

The ransomware utilises multiple languages to explain the attack and payment methods.

Remediation Strategy

Short term

The short term remediation strategy should be as follows:

  • Apply MS17-010 to all systems immediately (see note below)
  • Disable SMBv1 support on all hosts 
  • Remove access to SMB and RDP protocols on externally facing hosts by adding firewall rules
  • Where hosts are unable to be patched, they should be isolated into a separate network segment with no SMB or RDP access permitted from other networks
  • Alert your organisation’s staff as to the nature of this attack and to remain vigilant and suspicious of any untrusted communications or attachments 
  • Provide a communications and escalation procedure to staff should suspicious attachments be discovered or if they believe they are the victim of such an attack

Note: Microsoft have released out-of-band patches for currently unsupported versions of the Windows operating system, including Windows XP, Windows 8 and Windows Server 2003 (https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)

Medium to longer term

The medium to longer term remediation strategy should be as follows:

  • Using Software Restriction policies to prevent malware writing to common areas: through Active Directory and Group Policy create software restriction policies to allow only specifically identified applications to run on a computer. These are regulations set by domain admins with the aim to prevent untrusted code from running in the first place.
  • Limiting user privileges: ensure that users only have privileges assigned to their domain/workgroup accounts which are necessary for the user’s job role (least-privilege principle). Users should then use their regular accounts for everyday tasks; accounts with elevated privileges, if any, should only be used when needed. Malware that starts execution in the regular user’s context will then have less potential for devastating damage compared to when it executes in the context of a privileged user account.
  • Network segregation: ensure that proper network segregation is in place, such that business units/departments with different access level requirements are segmented from each other. SMB protocol should not be allowed to cross the boundary of a single network segment. This would stop the spread of infection should it happen, thus further containing it.
  • Raise awareness amongst staff with ongoing user awareness training
  • Develop a backup and data recovery procedure and policy for any future incidents