A major ransomware attack has affected thousands of organizations across the world, reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as “WannaCry.”
The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them and then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.
Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public.
Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.
WannaCry does not appear to only be leveraging the ETERNALBLUE modules associated with this attack framework, it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor.
In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry.
In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.
Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.
Cisco observed an uptick in scanning of our internet facing honeypots starting shortly before 5am EST (9am UTC) on May 12.
Cisco Umbrella researchers first observed requests for one of WannaCry’s kill switch domains (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, then rising to a peak of just over 1,400 nearly 10 hours later.
The domain composition looks almost human typed, with most characters falling into the top and home rows of a keyboard.
Communication to this domain might be categorized as a kill switch domain due to its role in the overall execution of the malware.
The subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity.
An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated and data is transferred. Cisco Talos believes this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletin MS17-010. Cisco currently doesn’t have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.
The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.
While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.
The tor.exe file is executed by @wanadecryptor@.exe. This newly executed process initiates network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by proxying their traffic through the Tor network.
Typical of other ransomware variants, the malware also deletes any shadow copies on the victim’s machine in order to make recovery more difficult. It achieves this by using WMIC.exe, vssadmin.exe and cmd.exe.
WannaCry uses various methods to attempt to aid its execution by leveraging on both attrib.exe to modify the +h flag (hide) and also icacls.exe to allow full access rights for all users, “icacls . /grant Everyone:F /T /C /Q”.
The malware has been designed as a modular service. It appears to us that the executable files associated with the ransomware have been written by a different individual than whomever developed the service module. Potentially, this means that the structure of this malware can be used to deliver and run different malicious payloads.
After encryption is complete, the malware displays the following ransomware note. One interesting aspect of this ransomware variant is that the ransom screen is actually an executable file and not an image, HTA file or text file.
Organizations should be aware that there is no obligation for criminals to supply decryption keys following the payment of a ransom. Talos strongly urges anyone who has been compromised to avoid paying the ransom if possible as paying the ransom directly funds development of these malicious campaigns.
Mitigation and Prevention
Organizations looking to mitigate the risk of becoming compromised should follow the following recommendations:
- Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
- In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
In addition to the mitigations listed above, Talos strongly encourages organizations take the following industry-standard recommended best practices to prevent attacks and campaigns like this and similar ones.
- Ensure your organization is running an actively supported operating system that receives security updates.
- Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.
- Run anti-malware software on your system and ensure you regularly receive malware signature updates.
- Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.
Snort Rule: 42329-42332, 42340, 41978
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella prevents DNS resolution of the domains associated with malicious activity.
Cisco’s recommendation: OpenDNS service stops malware in domain name resolution
Cisco OpenDNS service delivers safer, faster and highly intelligent domain name resolution through providing a sophisticated / an advanced DNS analytics service to users and enterprises. The OpenDNS analytics service is able to identify and demonstrate whether the websites are associated with malware or not when users are visiting the suspected websites as it has collected and consolidated a list of malware websites through multiple patented technologies. OpenDNS provides an anti-phishing database and integrates collection, consolidation and information issuing services for malware and phishing websites.
Home users can download the OpenDNS service for free via https://www.opendns.com/home-internet-security.
Cisco OpenDNS brings value to users including:
- Stops the URL connection with malware website
- Stops the “connect back” behavior of C&C network
- Reviews the connection with C&C via the internet and blocks the route for ransomware to update the key