On 12th May, a mass ransomware attacked started hitting hospitals, telecom service providers, universities and other institutions worldwide, using the malware WannaCry, WanaCrypt0r 2.0. It is found to be perpetrated by exploiting a known flaw in Microsoft Windows SMB Server, MS17-010. Given the nature of its impact, all organisations should consider this as high risk and address by patching vulnerable Windows systems.
This vulnerability was discovered earlier this year and was claimed to be exploited by the US Government’s National Security Agency, according to a trove of documents dumped by the hacking group Shadow Brokers. It is believed that the WannaCry’s initial infections were, yet again, a weaponised document transferred via an e-mail.
For Help AG managed security service customers, the security operation centre has reviewed and searched for indicators of compromise, looking for the possibility of this attack’s presence and have found that none of its customers were found to be impacted based on available logs. Help AG’s security operation centre also looked for suspicious successful SMB connections and found nothing, which might indicate presence of this malware.
Compromise indicators
WannaCry Ransomware is a worldwide ransomware which encrypts files with extensions below and appends .wcry extension to the file name. This ransomware is reported to be using Windows SMB vulnerability for lateral movement, which was patched in Microsoft MS17-010. Who is affected? Any entity running vulnerable Windows systems which does not have necessary patches installed on the systems.
Encrypts these extensions
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc
Compromised sample types
- tasksche.exe
- *.wcry
- *@[email protected]*
- ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- *.wncry
- *.wncrypt*
- lhdfrgui.exe
- LODCTR.EXE
- cliconfg.exe
- @[email protected]
- C:\\Users\\*\\AppData\Local\\Temp\\taskdl.exe
- *Global\\MsWinZonesCacheCounterMutexA*
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- Xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
- sqjolphimrr7jqw6.onion
- 300921484251324.bat
- iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
Sanitising emails
As most malware delivery happens through tricking victims to click on links or open malicious attachments. Hence it advised to have strong e-mail filtering gateway. The major issue here is that seemingly harmless attachments can create a lot of damage within an organisation, aiding in everything from credential thefts to crypto-malware.
Today there are technologies available which can look at inbound e-mails and deconstruct attachments, basically meaning breaking up the attachments in functional elements and then reconstructing the attachment without potential harmful parts. An example, could be a Word-file being sent to you with a macro embedded in it. With the correct technology that Word file can still be delivered to the user, but only after the macro has been removed from the file.
Help AG work with OPSWAT on data sanitisation. The solution is installed as a mail transfer agent after your existing e-mail defences and therefore does not require any change to user behaviour. Help AG integrates OPSWAT with sandbox solutions, which means you can perform behavioural based analysis on e-mail attachments.
Threat intelligence
In case you are using Next Generation Security Platforms it can be beneficial to look at enabling Threat Intelligence Feeds. As an example, in Palo Alto Networks the Wildfire feature set is interesting to investigate, in Cisco the AMP feature set, and in Fortinet the Advanced Intelligence Subscriptions
Threat isolation
Threat isolation is a new technology which has recently started to appear. The technology works by executing websites in a centralised isolation platform and then delivering the rendered webpage to the user utilising the solution.
The benefit of the solution is that your privileged user’s machine never executes any client side components, and is therefore also isolated from attacks from website or potential URL phishing. Help AG work with Menlo Security on these technologies
Application whitelisting
Application whitelisting can be a very efficient way of dealing with such ransomware malwares, as it can stop untrusted executables from running on your machines. Help AG works with a number of vendors, which have application whitelisting solutions, including Carbon Black Protect and Symantec Endpoint Protection. Palo Alto Networks recently added signing certificate validation to the TRAPS platform, which also can add value. Please note that there are big differences in the capabilities of each platform, but if you have any of them deployed you should investigate how you can harden your environment.
Recommended practices
- Ensure there are backups available of all critical systems and data
- If you are using encrypted backups make sure you have a backup of the key material used to encrypt backups in an offsite storage
- Technically it is impossible to recreate systems without restoring that data
- Review Microsoft Security Bulletin MS17-010 and apply the update
- Update systems to latest version or patch as reported by manufacturer
- For systems without support or patch is recommended to isolate from the network or turn off as appropriate
- Disabling SMBv1 and blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices
- Discover which systems, within your network, can be susceptible to attack through the vulnerability of Windows, in which case they can be isolated, updated and or shut down.
- Do not open attachments from untrusted email addresses
- Avoid opening Microsoft office files from untrusted sources
- It is recommended to back up data and create a restore point