Post on 10-Aug-2020
transcript
info@xservus.com https://www.xservus.com
WannaCry Ransomware Mitigation Techniques Version 0.3
Author: Daniel Card
On Friday 12th May 2017 malware was released (still not confirmed who patient zero was), this
malware (known as WannaCry) leverages a vulnerability in the SMBv1 protocol to install a program
which encrypt your data and attempt to spread to other machines on your network and the internet.
The malware quickly spread across the globe affecting hundreds of countries. Luckily due to the
work of cyber security researchers on the internet (specifically @Malwaretech and @2Sec4U) the
threat potential of this particular straing has been reduced dramatically as Malwaretech managed to
enable a global killswitch (https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-
global-cyber-attacks.html).
However, that hasn’t completely stopped the malware spreading (some organisations have
blacklisted the kill switch IP address!)
info@xservus.com https://www.xservus.com
Securing your endpoints The simplest way to stop the variants currently in the wild are to patch the MS17-010 vulnerabilities
(https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) , however, there are
sometimes constraints which may prevent taking this course of action or the time to deploy may be
lengthy.
If you have Windows XP/Server 2003 endpoints, worry not Microsoft have taken the unusual step of
releasing a hotfix for these two operating systems as well:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
There are however some techniques that can be applied if you are unable to patch which can be
deployed.
• Block SMB/CIFD (TCP 445) from being accessible (using a host based firewall e.g. Windows
Firewall)
o If you are in a corporate environment you will likely need remote administration
capabilities in which case, I’d recommend you restrict TCP 445 from being accessed
via a specific IP or subnet (see figure 1)
info@xservus.com https://www.xservus.com
Figure 1
• Disable SMBv1 (https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-
disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-
windows-server-2008-r2,-windows-8,-and-windows-server-2012)
o Windows 7 – 2008 R2 machines need to make a registry change:
▪ Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
SMB1 -Type DWORD -Value 0 -Force
o This change requires a reboot (this might work by just restarting the server service)
*WARNING – disabling SBMv1 may cause issues with some devices e.g. Backup
systems (Arcserv uses SMBv1)
• Disable file and printer sharing
• Use layer 3 network access control lists to block ports 445 (except from the management
subnet or jump box IP etc.) – (think firewalls/routers/switches)
• The current strain of malware attempt to connect to a web server, if the connection if
successful it does not perform file encryption. So DO NOT BLOCK these addresses:
o www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com o www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
There are also additional mitigation options that could be considered such as:
• Use applocker
• Use application white/blacklists
If you want more technical details the following GitHub resource has some great intel and links:
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
info@xservus.com https://www.xservus.com
Malware Research So far we’ve setup two honeypots on the internet, these endpoints are unpatched Windows XP SP3
and Windows 7 Sp1 virtual machines that have had their defences disabled and port 445 exposed to
the internet (and disabled the malware kill switch)
On these isolated endpoints we have enabled auditing, logging and are running continual Wireshark
captures to monitor for SMB connections over the internet.
We’ve had these running for hours and have as time of writing not been infected, we have however
had our XP virtual machine hit with malicious SMB traffic which crashed the server service (so it’s
clearly not safe to expose machines directly to the internet).
We’ve started looking at submitted samples, it appears whoever wrote the malware operates a fairly
sensible set of hours:
info@xservus.com https://www.xservus.com
WannaCry Analysis Attack Vector: SMBv1 vulnerability
Exploit: EternalBlue
C2 Communiations: TOR
Payload: Worm & File Encryptor
Propegation: Worm component via SMBv1 exploit
Killswitch: Successful HTTP connection to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com or
www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com disables execution
info@xservus.com https://www.xservus.com
Thanks to @malwareunicorn for this great diagram!
Sinkhole If you have disabled internet access ensure you deploy an accessible web server and create DNS
records which resolve to this as:
o www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com o www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cleaning Tips • Isolate the workload
• Backup the OS drive (and other drives if you have the capacity)
• Backup additional drives decrypter.exe etc.
• Offline clean the OS drive (and possibly the data drives)
info@xservus.com https://www.xservus.com
• Test the OS and application services
General Endpoint Protection It goes without saying that the following actions go a long way to protecting endpoints:
• Backup
• Patch
• Use firewalls on everything
• Ensure antimalware is deployed, configured as per vendor best practises and up to date
In today world, deploying hardened configurations and patching are a must do. It’s important to
ensure you have the capabilities to secure your business assets and maintain and monitor your
business to ensure your customers and your business assets are protected.