WannaCry Ransomware Campaign: Threat Details and Risk Management
UPDATE 3 (May 17 – 7:00 p.m. ET)
We observed the emergence of a new WannaCry variant with the internet-check URL www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testing. A bug in the code logic causes the malware to actually query www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test. The malware will encrypt your files only if it cannot contact this domain (specifically, if it cannot make a successful HTTP request to the resolution of the domain). Security researchers were able to register these “killswitch” domains for previous variants to stop encryption; however, this particular domain cannot be registered, since the .test TLD is reserved by the Internet Engineering Task Force (IETF) for testing purposes only. So, if this malware infects a system, the infrastructure killswitch approach used to date cannot be applied to stop encryption.
Organizations seeking to protect themselves from this latest variant can still “locally” sinkhole the domain by adding a DNS A-record to their DNS server and translating the domain to any of the existing sinkhole IPs.
We are currently investigating how widely this new variant has spread. It is possible that this variant could spread rapidly – similarly to the variant that emerged on May 12 – if positioned with the ability to contact a large number of machines exposed to the SMB vulnerability.
UPDATE 2 (May 17 – 12:45 p.m. ET)
FireEye has analyzed a number of systems infected with WannaCry. Figure 2 depicts the real-time process execution events from a Windows 7 system infected with WannaCry via the EternalBlue SMB exploit. Of particular note is that the parent process of the mssecsvc.exe dropper is lsass.exe (which indicates that the system was compromised by the SMB exploit that injects a dll into lsass.exe). Additionally, all malware specific processes are owned by system accounts (e.g. NT AUTHORITY\SYSTEM and BUILTIN\Administrators) and not the primary user of the system.
Systems successfully infected with WannaCry will scan random IP addresses very rapidly (about 25 IP addresses per second) for open TCP 445 ports (the port used for SMB communications) and if open will attempt to spread the WannaCry infection using the EternalBlue SMB exploit. Figure 3 depicts the real-time TCPv4 network connection events from a Windows 7 system infected with WannaCry.
UPDATE (May 16 – 8:00 p.m. ET)
On May 15, we observed at least two new killswitch domains being used by WannaCry variants, ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com (This domain matches the format of WannaCry-associated domains, but has not yet been clearly linked to a specific sample. Organizations wish to maintain awareness of this domain in the event that it is associated with WannaCry activity.) and iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. These domains were also sinkholed. Again, we currently lack visibility as to whether these changes were implemented by the original distributors or a third party modifying distributed samples.
At this time, multiple potential attribution scenarios for the WannaCry activity are viable. We are continuing to investigate all potential attribution scenarios.
Financially-motivated cyber criminals are typically responsible for ransomware operations, with many such actors operating independently worldwide; however, as of yet, none of these actors have been identified as a strong candidate for attributing the WannaCry operation.
Some aspects of the WannaCry operation suggest the operators may not be highly sophisticated and may not have anticipated the malware would spread as widely as it has. One of these aspects is the aforementioned killswitch functionality. Sophisticated malware developers experienced with combatting security countermeasures might have anticipated this functionality would constitute a threat to the malware’s success. Another aspect is that identified ransom payments have been reported to be relatively low thus far, suggesting the operators’ payment system may not have been equipped to handle the outcome of worldwide infections.
Numerous open-source reports allege potential North Korean involvement in this campaign. Based on FireEye’s initial analysis, the code similarities cited between allegedly North Korea-linked malware and WannaCry constitute a potential lead worth further investigation, but are not unique enough independent of other evidence to be clearly indicative of common operators.
See the bottom of the post for a list of related MD5s, URLs, Tor sites, executables, registry keys, files created, file strings, processes started, and SNORT signatures.
The following is the blog as originally published on May 15.
Since May 12, 2017, a highly prolific WannaCry ransomware campaign has been observed impacting organizations globally. WannaCry (aka WCry or WanaCryptor) malware is self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft Server Message Block (SMB) protocol. The malware appends encrypted data files with the .WCRY extension, drops and executes a decryptor tool, and demands $300 or $600 USD (via Bitcoin) to decrypt the data. The malware uses encrypted Tor channels for command and control (C2) communications.
Based on our analysis, malicious binaries associated with WannaCry activity are comprised of two distinct components, one that provides ransomware functionality – acting very similar to WannaCry malware samples reported before May 12 – and a component used for propagation, which contains functionality to enable the discussed scanning and SMB exploitation capabilities.
Given the rapid and prolific distribution of this ransomware, FireEye iSIGHT Intelligence considers this activity to pose a significant risk to all organizations using potentially vulnerable Windows machines.
WannaCry exploits a Windows SMB vulnerability to enable propagation after having established a foothold in an environment. This propagation mechanism can distribute the malware both within the compromised network and over the public internet. The exploit used is codenamed “EternalBlue” and was leaked by Shadow Brokers. The exploited vulnerability, was patched in Microsoft MS17-010.
Based on our analysis, the malware spawns two threads. The first thread enumerates the network adapters and determines which subnets the system is on. The malware then generates a thread for each IP on the subnet. Each of these threads attempt to connect to the IP on TCP port 445 and, if successful, attempt exploitation of the system. An example of an attempt to exploit a remote system can be seen in Figure 1.
In response to the use of this exploited vulnerability, Microsoft has provided specific risk management steps for WannaCry.
While WannaCry ransomware has spread primarily through SMB exploitation, its operators may also use other distribution methods. Early reports suggested WannaCry was spread through malicious links in spam messages; however, FireEye has been unable to corroborate that information from any of our investigations to date.
Regardless of the original infection vector, WannaCry operators could adopt any delivery mechanism common to ransomware activity, such as malicious documents, malvertising, or compromises of high-traffic sites. In light of this campaign's high impact thus far and the uncertainties as to early distribution vectors, organizations should consider any common malware delivery vector a potential source of WannaCry infection.
Each of the WannaCry variants identified to date (that had worm-like functionality) included a killswitch that a number of security researchers have used to prevent the malware from encrypting files. However, operators could eliminate or modify this feature, as demonstrated by the emergence of multiple variants with new a domain.
- Upon infecting a victim machine, the WannaCry package that began spreading on May 12 attempts to contact: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the malware could successfully reach this domain, based on FireEye's testing, it would not perform encryption or self-propagation (some organizations have reported the malware will continue to self-propagate in this case, but we have not confirmed this behavior in test environments). This domain was registered by a security professional on May 12, apparently stopping encryption behavior for many infections. The WannaCry developers may have intended this killswitch functionality to serve as an anti-sandbox analysis measure.
- On May 14, a variant surfaced with a new killswitch domain: www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. This domain was also sinkholed, ostensibly causing the killswitch behavior to disable any WannaCry infections that contacted the domain. Whether this domain contact change was implemented by the original distributors or a third party modifying distributed samples is unclear.
- Also on May 14, a new variant was identified that does not contain the domain contact killswitch functionality. However, this change may have been implemented by a third party after the malware was compiled rather than by the operators. The ransomware component of this variant appears corrupted and does not function in test environments.
Despite encouraging reports of waning threat activity, WannaCry continues to pose significant risks. Given this malware's effective repropagation mechanisms, virtually any organization that hasn’t applied Microsoft’s recommended mitigation mechanisms is at potential risk of attempted WannaCry propagation. Furthermore, the emergence of new variants demonstrates the operators could remove WannaCry's killswitch functionality if desired, or significantly modify it to avoid countermeasures taken thus far. Public reports demonstrate that incidents associated with the WannaCry ransomware family have occurred in many countries.
Organizations seeking to protect themselves from this threat should read Microsoft's blog on addressing the associated SMB exploitation.
The rapid, prolific distribution of this ransomware has influenced swift, proactive updates to FireEye’s entire portfolio of detection technologies, threat intelligence analysis and recommendations and consulting services.
FireEye’s Network, Email, and Endpoint products have ransomware detection capabilities that can proactively detect and, if deployed inline, or with Exploit Guard enabled, can block new ransomware (including WannaCry) distributed through web and email infection vectors. WannaCry operators could leverage these popular delivery mechanisms at any time. Should this occur, FireEye product customers would be alerted by the following alerts:
- HX: WMIC SHADOWCOPY DELETE, WANNACRY RANSOMWARE, *Ransom.WannaCryptor.*, or Trojan.Generic*. Exploit Guard and Anti-Virus alert names will depend on delivery mechanism and variants.
- NX/EX: Malware.Binary.exe, Trojan.Ransomware.MVX, Ransomware.Wcry.*, FE_Ransomware_WannaCry.*, Trojan.SinkholeMalware, or Malicious.URL
- EX only: Phish.URL or FE_EMAIL_MALICIOUS_EXM_*
- TAP: WANNACRY RANSOMWARE
FireEye products also detect later stage WannaCry activity, such as command and control communications and host indicators for existing WannaCry infections. Additionally, FireEye PX (Network Forensics) sensors deployed internally and monitored by FireEye as a Service (FaaS) can detect SMB propagation traffic. Customers can leverage confirmed indicators to hunt for possible infections. These indicators have been deployed to FireEye HX (Endpoint) customers and are available on the MySIGHT intelligence portal for iSIGHT subscription customers.
Network proxies and other enterprise network security features may prevent the malware from contacting its killswitch domain and inadvertently trigger encryption. Organizations may wish to adjust their proxy configurations or other network configurations to avoid this problem.
Additionally, organizations can leverage the following indicators of compromise to identify potentially related activity. These have been obtained during preliminary analysis of associated samples and continuing investigation.
Related Sample MD5s:
Ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com (This domain matches the format of WannaCry-associated domains, but has not yet been clearly linked to a specific sample. Organizations wish to maintain awareness of this domain in the event that it is associated with WannaCry activity.)
Related Tor Sites:
Related Registry Keys:
Related Files Created:
Related File Strings:
Wanna Decryptor 1.0
Note: Additional files with .wncry extensions may be created.
Related Processes Started:
cscript.exe //nologo m.vbs
Related SNORT Signatures:
The following SNORT signatures may be useful for identifying SMB exploitation activity related to this threat.