Situation Report
GRA Quantum is actively monitoring the rapid proliferation and widespread impact of the WannaCry ransomware campaign (also known as WannaCrypt, WCry, or WanaCryptor) that disrupted operations around the world, and we are fervently spearheading clients’ incident response efforts. This Situation Report summarizes what experts at GRA Quantum and other cybersecurity firms and law enforcement authorities have confirmed since the campaign emerged on 12 May 2017.
What, How, Who:
WannaCry is ransomware that encrypts an infected machine’s files and directs users to pay a ransom of $300 or $600 in bitcoins to recover their encrypted files. It spreads throughout internal networks and the Internet by exploiting a Windows Server Message Block (SMB) protocol vulnerability that impacts all versions of Windows except Windows 10. The exploit, codenamed EternalBlue, was released by an attack group calling themselves the ShadowBrokers. This group claims to have stolen EternalBlue and a range of other exploits and tools from the NSA. As of 15 May, two variations of the ransomware have been identified.
Emerging reports suggest that the WannaCry ransomware shares code with samples attributed to North Korea’s Lazarus Group, known for being an advanced persistent threat. There is a possibility that the shared code is a false flag. On 16 May, the ShadowBrokers announced monthly subscription-based data dumps threatening newer operating systems, financial institutions, and nation-state weapons programs.
Update 14:06 05/23/17:
Symantec outlines the links between the WannaCry campaign and North Korea’s Lazarus Group: here
Impact:
Initial reports of WannaCry’s impact focused on severe disruptions to the hospitals and clinics of Britain’s National Health Service. However, the ransomware seized normal operations in hundreds of thousands of organizations in nearly every sector and country. Firms in China and Russia were hardest hit. This has been attributed to the widespread use of pirated software and lax security protocols in those countries. Users of Microsoft’s legacy operating systems, particularly Windows XP, 7, 8, and Server 2003, also experienced the majority of infections. Prior to the WannaCry campaign, only Windows 10 received a security update that patched the vulnerability exploited by EnternalBlue.
There is no fix for infected and encrypted machines at this time. Encrypted files will remain inaccessible unless a weakness in the encryption scheme used by WannaCry is discovered.
Update 10:13 05/19/17:
Files on infected machines may be recoverable. See Global Response Efforts.
Update 16:15 05/27/17:
Kasperksy Lab reports that over 95 percent of infection occurred on machines running Windows 7.
Global Response Efforts:
Microsoft has now patched the vulnerability in Microsoft MS17-010 for supported and unsupported versions of Windows, including 8, XP and Server 2003. Users and administrators are implored to install the patch immediately, prioritizing critical systems.
Two kill-switch domains were identified and preemptively registered by @MalwareTechBlog and @msuiche. WannaCrypt remains dormant if the following domains are accessible:
hxxp://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
It is important to note that WannaCry is not proxy-aware and will infect machines if it cannot reach the kill-switch domains directly. The kill-switch domains do not prevent WannaCry from spreading, so it is advised to block outbound SMB traffic.
@MinervaLabs has developed a free WannaCry vaccinator. WannaCry passes over machines that exhibit a specific mutex infection marker (identified by Didier Stevens and @gN3mes1s). The vaccinator creates infection markers on machines to protect them from known versions of WannaCry.
Update 10:13 05/19/17:
WannaCry deletions are scheduled to begin on 19 May 2017. However, @threatintel is reporting that WannaCry lacks the capability to delete encrypted files.
@adriengnt, a French security researcher, has devised a tool that recovers encryption keys from memory. It has been confirmed to work on Windows XP and 7 and may work on every version of Windows. Do not restart infected machines: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d?gi=ac68c99fe4c9
@symantec reports that files are recoverable in some circumstances: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
A new killswitch appeared in the wild: ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
Interesting Observations:
The WannaCry campaign may not have been intended to yield any real profit and appears amateurish. Bitcoins may be familiar to many people, but obtaining and transferring bitcoins remains a largely enigmatic process for the lay public. Most ransomware provide clear directions for purchasing and transferring bitcoins. While WannaCry ostensibly offers guidance, reports suggest that it is neither clear nor useful. This may be part of the reason that despite its global impact, WannaCry has reaped a relatively paltry sum of under $80,000. Smaller-scale and lower-profile attacks have yielded sums in the tens of millions. This is just one of the numerous mistakes and oversights that characterize WannaCry, including the lack of payment verification mechanisms and the use of hardcoded Bitcoin addresses.
Despite these mistakes, the core functionality of WannaCry—self-propagation—should not be overlooked. Future campaigns could easily avoid the mistakes made by WannaCry’s developers and retain the ransomware’s prolificacy. Furthermore, the factors that are fueling rampant ransomware attacks remain unaddressed.
Key Takeaways:
Robust Patch Management is Essential – While Microsoft has been criticized for failing to release patches for critical vulnerabilities on older systems, organizations were and continue to be slow in installing available patches. The success and persistence of the campaign highlights endemic inadequacies in organizational patch management both in day-to-day operations and amid malicious campaigns.
Back Up Regularly and Keep a Copy Offline – WannaCry encrypts not only its host but all networked and connected peripherals, including backups over SMB. To facilitate rapid recovery, organizations should back up data regularly and store an encrypted copy offline and completely disconnected from the network and Internet.
Understand Your Network Architecture and Take Control – In response to WannaCry, we recommend quarantining infected endpoints and segmenting and limiting both SMB and Remote Desktop Protocol (RDP) traffic. This and other critical responses require a comprehensive understanding of your organization’s network architecture. More importantly, robust network security and an optimized network architecture limit the potential impact of threats, including WannaCry.
Patching and Remediation Resources:
@Demisto has produced an excellent overview of critical steps to prevent or respond to WannaCry.
*Image taken from MalwareTech Tracker at 16:57 05/17/2017.
