WannaCry Ransomware Campaign: Threat Details and Risk Management
Mandiant
Written by: John Miller, David Mainor
UPDATE 3 (May 17 – 7:00 p.m. ET)
We observed the emergence of a new WannaCry variant with the internet-check URL www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testing. A bug in the code logic causes the malware to actually query www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test. The malware will encrypt your files only if it cannot contact this domain (specifically, if it cannot make a successful HTTP request to the resolution of the domain). Security researchers were able to register these “killswitch” domains for previous variants to stop encryption; however, this particular domain cannot be registered, since the .test TLD is reserved by the Internet Engineering Task Force (IETF) for testing purposes only. So, if this malware infects a system, the infrastructure killswitch approach used to date cannot be applied to stop encryption.
Organizations seeking to protect themselves from this latest variant can still “locally” sinkhole the domain by adding a DNS A-record to their DNS server and translating the domain to any of the existing sinkhole IPs.
We are currently investigating how widely this new variant has spread. It is possible that this variant could spread rapidly – similarly to the variant that emerged on May 12 – if positioned with the ability to contact a large number of machines exposed to the SMB vulnerability.
UPDATE 2 (May 17 – 12:45 p.m. ET)
FireEye has analyzed a number of systems infected with WannaCry. Figure 2 depicts the real-time process execution events from a Windows 7 system infected with WannaCry via the EternalBlue SMB exploit. Of particular note is that the parent process of the mssecsvc.exe dropper is lsass.exe (which indicates that the system was compromised by the SMB exploit that injects a dll into lsass.exe). Additionally, all malware specific processes are owned by system accounts (e.g. NT AUTHORITY\SYSTEM and BUILTIN\Administrators) and not the primary user of the system.
Figure 2: Real-time process execution events
Systems successfully infected with WannaCry will scan random IP addresses very rapidly (about 25 IP addresses per second) for open TCP 445 ports (the port used for SMB communications) and if open will attempt to spread the WannaCry infection using the EternalBlue SMB exploit. Figure 3 depicts the real-time TCPv4 network connection events from a Windows 7 system infected with WannaCry.
Figure 3: Real-time TCPv4 network connection events
UPDATE (May 16 – 8:00 p.m. ET)
On May 15, we observed at least two new killswitch domains being used by WannaCry variants, ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com (This domain matches the format of WannaCry-associated domains, but has not yet been clearly linked to a specific sample. Organizations wish to maintain awareness of this domain in the event that it is associated with WannaCry activity.) and iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. These domains were also sinkholed. Again, we currently lack visibility as to whether these changes were implemented by the original distributors or a third party modifying distributed samples.
Attribution
At this time, multiple potential attribution scenarios for the WannaCry activity are viable. We are continuing to investigate all potential attribution scenarios.
Financially-motivated cyber criminals are typically responsible for ransomware operations, with many such actors operating independently worldwide; however, as of yet, none of these actors have been identified as a strong candidate for attributing the WannaCry operation.
Some aspects of the WannaCry operation suggest the operators may not be highly sophisticated and may not have anticipated the malware would spread as widely as it has. One of these aspects is the aforementioned killswitch functionality. Sophisticated malware developers experienced with combatting security countermeasures might have anticipated this functionality would constitute a threat to the malware’s success. Another aspect is that identified ransom payments have been reported to be relatively low thus far, suggesting the operators’ payment system may not have been equipped to handle the outcome of worldwide infections.
Numerous open-source reports allege potential North Korean involvement in this campaign. Based on FireEye’s initial analysis, the code similarities cited between allegedly North Korea-linked malware and WannaCry constitute a potential lead worth further investigation, but are not unique enough independent of other evidence to be clearly indicative of common operators.
See the bottom of the post for a list of related MD5s, URLs, Tor sites, executables, registry keys, files created, file strings, processes started, and SNORT signatures.
The following is the blog as originally published on May 15.
Since May 12, 2017, a highly prolific WannaCry ransomware campaign has been observed impacting organizations globally. WannaCry (aka WCry or WanaCryptor) malware is self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft Server Message Block (SMB) protocol. The malware appends encrypted data files with the .WCRY extension, drops and executes a decryptor tool, and demands $300 or $600 USD (via Bitcoin) to decrypt the data. The malware uses encrypted Tor channels for command and control (C2) communications.
Based on our analysis, malicious binaries associated with WannaCry activity are comprised of two distinct components, one that provides ransomware functionality – acting very similar to WannaCry malware samples reported before May 12 – and a component used for propagation, which contains functionality to enable the discussed scanning and SMB exploitation capabilities.
Given the rapid and prolific distribution of this ransomware, FireEye iSIGHT Intelligence considers this activity to pose a significant risk to all organizations using potentially vulnerable Windows machines.
Infection Vector
WannaCry exploits a Windows SMB vulnerability to enable propagation after having established a foothold in an environment. This propagation mechanism can distribute the malware both within the compromised network and over the public internet. The exploit used is codenamed “EternalBlue” and was leaked by Shadow Brokers. The exploited vulnerability, was patched in Microsoft MS17-010.
Based on our analysis, the malware spawns two threads. The first thread enumerates the network adapters and determines which subnets the system is on. The malware then generates a thread for each IP on the subnet. Each of these threads attempt to connect to the IP on TCP port 445 and, if successful, attempt exploitation of the system. An example of an attempt to exploit a remote system can be seen in Figure 1.
Figure 1: WannaCry network traffic attempting SMB exploit
In response to the use of this exploited vulnerability, Microsoft has provided specific risk management steps for WannaCry.
While WannaCry ransomware has spread primarily through SMB exploitation, its operators may also use other distribution methods. Early reports suggested WannaCry was spread through malicious links in spam messages; however, FireEye has been unable to corroborate that information from any of our investigations to date.
Regardless of the original infection vector, WannaCry operators could adopt any delivery mechanism common to ransomware activity, such as malicious documents, malvertising, or compromises of high-traffic sites. In light of this campaign's high impact thus far and the uncertainties as to early distribution vectors, organizations should consider any common malware delivery vector a potential source of WannaCry infection.
Malware Characteristics
Each of the WannaCry variants identified to date (that had worm-like functionality) included a killswitch that a number of security researchers have used to prevent the malware from encrypting files. However, operators could eliminate or modify this feature, as demonstrated by the emergence of multiple variants with new a domain.
- Upon infecting a victim machine, the WannaCry package that began spreading on May 12 attempts to contact: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the malware could successfully reach this domain, based on FireEye's testing, it would not perform encryption or self-propagation (some organizations have reported the malware will continue to self-propagate in this case, but we have not confirmed this behavior in test environments). This domain was registered by a security professional on May 12, apparently stopping encryption behavior for many infections. The WannaCry developers may have intended this killswitch functionality to serve as an anti-sandbox analysis measure.
- On May 14, a variant surfaced with a new killswitch domain: www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. This domain was also sinkholed, ostensibly causing the killswitch behavior to disable any WannaCry infections that contacted the domain. Whether this domain contact change was implemented by the original distributors or a third party modifying distributed samples is unclear.
- Also on May 14, a new variant was identified that does not contain the domain contact killswitch functionality. However, this change may have been implemented by a third party after the malware was compiled rather than by the operators. The ransomware component of this variant appears corrupted and does not function in test environments.
Impact
Despite encouraging reports of waning threat activity, WannaCry continues to pose significant risks. Given this malware's effective repropagation mechanisms, virtually any organization that hasn’t applied Microsoft’s recommended mitigation mechanisms is at potential risk of attempted WannaCry propagation. Furthermore, the emergence of new variants demonstrates the operators could remove WannaCry's killswitch functionality if desired, or significantly modify it to avoid countermeasures taken thus far. Public reports demonstrate that incidents associated with the WannaCry ransomware family have occurred in many countries.
Risk Management
Organizations seeking to protect themselves from this threat should read Microsoft's blog on addressing the associated SMB exploitation.
The rapid, prolific distribution of this ransomware has influenced swift, proactive updates to FireEye’s entire portfolio of detection technologies, threat intelligence analysis and recommendations and consulting services.
FireEye’s Network, Email, and Endpoint products have ransomware detection capabilities that can proactively detect and, if deployed inline, or with Exploit Guard enabled, can block new ransomware (including WannaCry) distributed through web and email infection vectors. WannaCry operators could leverage these popular delivery mechanisms at any time. Should this occur, FireEye product customers would be alerted by the following alerts:
- HX: WMIC SHADOWCOPY DELETE, WANNACRY RANSOMWARE, *Ransom.WannaCryptor.*, or Trojan.Generic*. Exploit Guard and Anti-Virus alert names will depend on delivery mechanism and variants.
- NX/EX: Malware.Binary.exe, Trojan.Ransomware.MVX, Ransomware.Wcry.*, FE_Ransomware_WannaCry.*, Trojan.SinkholeMalware, or Malicious.URL
- EX only: Phish.URL or FE_EMAIL_MALICIOUS_EXM_*
- TAP: WANNACRY RANSOMWARE
FireEye products also detect later stage WannaCry activity, such as command and control communications and host indicators for existing WannaCry infections. Additionally, FireEye PX (Network Forensics) sensors deployed internally and monitored by FireEye as a Service (FaaS) can detect SMB propagation traffic. Customers can leverage confirmed indicators to hunt for possible infections. These indicators have been deployed to FireEye HX (Endpoint) customers and are available on the MySIGHT intelligence portal for iSIGHT subscription customers.
Network proxies and other enterprise network security features may prevent the malware from contacting its killswitch domain and inadvertently trigger encryption. Organizations may wish to adjust their proxy configurations or other network configurations to avoid this problem.
Additionally, organizations can leverage the following indicators of compromise to identify potentially related activity. These have been obtained during preliminary analysis of associated samples and continuing investigation.
Related Sample MD5s:
0156edf6d8d35def2bf71f4d91a7dd22
0156edf6d8d35def2bf71f4d91a7dd22
0279e96244d8d8fa636c8f38baff99d7
05a00c320754934782ec5dec1d5c0476
06e235714dfa46e0ef3d15e45331ebe1
09431f379fc1914685f93f56c2400133
0cb40a8a51539e2c5727c3ec87af8a56
0fb1ce09b168987ce7f47bcd82fa034d
1177e33203cb8b1d71fe9147364328fe
13d702666bb8eadcd60d0c3940c39228
16aa3809de7a2a87d97de34ed7747638
18ad48cf2ed0cfeda8636187169ab181
1c615bf80a47848f17f935e689ae7ee2
246c2781b88f58bc6b0da24ec71dd028
2822abbaff89f989a4377b3c54067540
29365f675b69ffa0ec17ad00649ce026
2b4e8612d9f8cdcf520a8b2e42779ffa
2ca9ea7966269b22b5257f7a41817e1f
3175e4ba26e1e75e52935009a526002c
31dab68b11824153b4c975399df0354f
32f5d4bb6e967ac8c15950322b69975b
340a0e61c7f9b4e17e66e5114b1fffdb
3600607ab080736dd31859c02eaff188
36ebcf590480009be4c9c2259982a71a
38089fd3b6f1faa54cfe974fd1e29f0a
3c1ab42f5dd52f217ec57d270ffc8960
3c6375f586a49fc12a4de9328174f0c1
42fcf5f97f224c53a0434856016c706c
4362e287ca45a4862b7fe9ecaf46e985
468d1f5e0b048c16fd6d5364add58640
46d140a0eb13582852b5f778bb20cf0e
4e1f1183a31740618213f4e4c619b31c
4fef5e34143e646dbf9907c4374276f5
509c41ec97bb81b0567b059aa2f50fe8
546c1d3e78d9a0c676648e1230b8d454
54a116ff80df6e6031059fc3036464df
573a15b128431309c6af6caeb27dd44c
57aaa19f66b1eab6bea9891213ae9cf1
57b5c96abfd7ab5f33d9e3c20067687a
5902d0ea85b00f59a44c6d1c9174da56
59815ca85fa772753ca37fa0399c668c
59fc71209d74f2411580f6e1b6daf8d8
5bef35496fcbdbe841c82f4d1ab8b7c2
638f9235d038a0a001d5ea7f5c5dc4ae
6a4041616699ec27b42f98bbf111a448
707282fc5832e4674a2b5904b4115202
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7ecd842a3e9b1bcb3bb70b98220a563b
7f7ccaa16fb15eb1c7399d422f8363e8
80a2af99fd990567869e9cf4039edf73
82fc5885862b097be5ec9ec2176e30f1
82fd8635ff349f2f0d8d42c27d18bcb7
835fff032c51075c0c27946f6ebd64a3
8495400f199ac77853c53b5a3f278f3e
84a912cc30e697c4aab6978fb2fceb7c
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8d8e65121556519531ff64c1ed0bfe09
8dd63adb68ef053e044a5a2f46e0d2cd
8ff9c908dea430ce349cc922cee3b7dc
92cc807fa1ff0936ef7bcd59c76b123b
93ebec8b34a4894c34c54cca5039c089
947d69c0531504ee3f7821574ea405a7
9503af3b691e22149817edb246ea7791
96714005ac1ddd047a8eda781249d683
96dff36b5275c67e35097d77a120d0d4
998ea85d3e72824a8480d606d33540a6
a0a46b3ea8b643acd8b1b9220701d45d
a155e4564f9ec62d44bf3ea2351fd6ce
a2ded86d6ddc7d1fca74925c111d6a95
a6aad46f69d3ba3359e4343ab7234bb9
abcb7d4353abee5083ddd8057c7cd1ff
b0ad5902366f860f85b892867e5b1e87
b27f095f305cf940ba4e85f3cb848819
b6043ef3f8b238e4f5be6e2aa061c845
b675498639429b85af9d70be1e8a8782
b6ded2b8fe83be35341936e34aa433e5
b77288deb5e9ebced8a27c5ea533d029
b7f7ad4970506e8547e0f493c80ba441
b8a7b71bfbde9901d20ab179e4dead58
bdda04ebcc92840a64946fc222edc563
be70ee98253ae9ebbf91af35da829ee0
be74e91f1ef8b4cb9e3918911e429124
bec0b7aff4b107edd5b9276721137651
c2559b51cfd37bdbd5fdb978061c6c16
c39ed6f52aaa31ae0301c591802da24b
c61256583c6569ac13a136bfd440ca09
cb97641372f4e31670574cc4faa5df59
cee8d1683a187a477ee319c2ddd09d4d
cf1416074cd7791ab80a18f9e7e219d9
d545a745c4fc198798e590b00ba7dd59
d5dcd28612f4d6ffca0cfeaefd606bcf
d6114ba5f10ad67a4131ab72531f02da
d724d8cc6420f06e8a48752f0da11c66
db349b97c37d22f5ea1d1841e3c89eb4
df535dcb74ab9e2ba0a63b3519eee2bb
e16b903789e41697ecab21ba6e14fa2b
e372d07207b4da75b3434584cd9f3450
eb7009df4951e18ccbe4f035985b635c
efa8cda6aa188ef8564c94a58b75639f
f0d9ffefa20cdadf5b47b96b7f8d1f60
f107a717f76f4f910ae9cb4dc5290594
f351e1fcca0c4ea05fc44d15a17f8b36
f4856b368dc74f04adb9c4548993f148
f529f4556a5126bba499c26d67892240
f9992dfb56a9c6c20eb727e6a26b0172
f9cee5e75b7f1298aece9145ea80a1d2
fa44f2474ba1c807ad2aae6f841b8b09
fad4b98c046f693513880195c2bef2dd
ff81d72a277ff5a3d2e5a4777eb28b7b
Related URLs:
iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
Ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com (This domain matches the format of WannaCry-associated domains, but has not yet been clearly linked to a specific sample. Organizations wish to maintain awareness of this domain in the event that it is associated with WannaCry activity.)
Related Tor Sites:
57g7spgrzlojinas[.]onion
76jdd2ir2embyv47[.]onion
cwwnhwhlz52maqm7[.]onion
gx7ekbenv2riucmf[.]onion
sqjolphimrr7jqw6[.]onion
Xxlvbrloxvriy2c5[.]onion
Related Executables:
C:\Windows\mssecsvc.exe
C:\Windows\tasksche.exe
Related Registry Keys:
HKEY_LOCAL_MACHINE\Software\WanaCrypt0r
Related Files Created:
%TEMP%\m.vbs
%TEMP%\b.wrny
%TEMP%\c.wrny
taskse.exe
taskdl.exe
@Please_Read_Me@.txt
@WanaDecryptor@.exe
Related File Strings:
Wanna Decryptor 1.0
Wana Decrypt0r
Wana Decryptor
WANNACRY
WanaCrypt0r
WANACRY!
WNcry@2ol7
Note: Additional files with .wncry extensions may be created.
Related Processes Started:
cscript.exe //nologo m.vbs
Related SNORT Signatures:
The following SNORT signatures may be useful for identifying SMB exploitation activity related to this threat.