Cyber Alert: WannaCry Ransomware
Date Issued: May 15, 2017
The MS-ISAC is aware of a new ransomware variant based off of Crypt.XXX called WannaCry. WannaCry encrypts files on the system and demands an average payment of $300 in bitcoins and will be doubled three days after the infection. If no payment has been received after seven days, the files on the affected system will be deleted. WannaCry leverages the EternalBlue exploit that was made public in April by the ShadowBrokers. EternalBlue utilizes a known SMB vulnerability affecting most versions of Windows. Systems that have already had Microsoft’s MS17-010 security patch applied are not vulnerable to the EternalBlue exploit used by WannaCry. The MS-ISAC originally released a cyber security advisory on March 14, 2017, detailing the specifics of this vulnerability and recommending that MS17-010 be applied.
To help slow down the progress of infection world-wide, Microsoft has released patches for legacy operating systems and a link is located in the references below.
The MS-ISAC is aware of open source reporting indicating potential modifications to the WannaCry ransomware.
- Initial version: The original infection called out to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com and will cease functioning if a successful response is received. An individual in the UK has registered this domain and therefore, any new infections of this variant of WannaCry are harmless. However, additional variants of the ransomware may not use this method of rendering the malware inert, therefore patching of systems is recommended.
- First Modification: The infection calls out to ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. This variant has also been mitigated following the registration of the domain.
- Second Modification: Original infection removing the call out domain “kill switch.” The field indicating the callout domain is marked null. This variant has a corrupted ransomware payload and has not been identified in the wild.
- The MS-ISAC is aware of another, similar domain, that is potentially related to the campaign: iaaerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
US-CERT issued three updates to the alert at: https://www.us-cert.gov/ncas/alerts/TA17-132A/. This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. The changes correct syntax in the provided Yara rules and include links to the updated Microsoft patches for End of Life Systems.
- Microsoft Windows Vista, 7, 8.1, RT 8.1, 10
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016
- Microsoft Windows Server Core Installations 2008, 2008 R2, 2012, 2012 R2, 2016
- Microsoft Windows; XP SP2/SP3, Embedded SP3, 8 RT
- Microsoft Windows Server 2003 SP 2
MS-ISAC recommends organizations work to determine if older versions of the identified software are currently running on systems and develop a proper migration plan to ensure software is upgraded appropriately:
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Block ingress and egress traffic to TCP and UDP ports 139, 445, and 3389 at your demarcation point.
- It is advised to immediately remove un-patchable hosts from the network
- Consider generating alerts involving outbound traffic to the CNC IPs listed in the Cisco/Talos Blog and investigate activity that would be considered unexpected for a host
- Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.