info@xservus.com https://www.xservus.com

WannaCry Ransomware Mitigation Techniques Version 0.3

Author: Daniel Card

On Friday 12th May 2017 malware was released (still not confirmed who patient zero was), this

malware (known as WannaCry) leverages a vulnerability in the SMBv1 protocol to install a program

which encrypt your data and attempt to spread to other machines on your network and the internet.

The malware quickly spread across the globe affecting hundreds of countries. Luckily due to the

work of cyber security researchers on the internet (specifically @Malwaretech and @2Sec4U) the

threat potential of this particular straing has been reduced dramatically as Malwaretech managed to

enable a global killswitch (https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-

global-cyber-attacks.html).

However, that hasn’t completely stopped the malware spreading (some organisations have

blacklisted the kill switch IP address!)

info@xservus.com https://www.xservus.com

Securing your endpoints The simplest way to stop the variants currently in the wild are to patch the MS17-010 vulnerabilities

(https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) , however, there are

sometimes constraints which may prevent taking this course of action or the time to deploy may be

lengthy.

If you have Windows XP/Server 2003 endpoints, worry not Microsoft have taken the unusual step of

releasing a hotfix for these two operating systems as well:

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

There are however some techniques that can be applied if you are unable to patch which can be

deployed.

• Block SMB/CIFD (TCP 445) from being accessible (using a host based firewall e.g. Windows

Firewall)

o If you are in a corporate environment you will likely need remote administration

capabilities in which case, I’d recommend you restrict TCP 445 from being accessed

via a specific IP or subnet (see figure 1)

info@xservus.com https://www.xservus.com

Figure 1

• Disable SMBv1 (https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-

disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-

windows-server-2008-r2,-windows-8,-and-windows-server-2012)

o Windows 7 – 2008 R2 machines need to make a registry change:

▪ Set-ItemProperty -Path

"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"

SMB1 -Type DWORD -Value 0 -Force

o This change requires a reboot (this might work by just restarting the server service)

*WARNING – disabling SBMv1 may cause issues with some devices e.g. Backup

systems (Arcserv uses SMBv1)

• Disable file and printer sharing

• Use layer 3 network access control lists to block ports 445 (except from the management

subnet or jump box IP etc.) – (think firewalls/routers/switches)

• The current strain of malware attempt to connect to a web server, if the connection if

successful it does not perform file encryption. So DO NOT BLOCK these addresses:

o www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com o www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

There are also additional mitigation options that could be considered such as:

• Use applocker

• Use application white/blacklists

If you want more technical details the following GitHub resource has some great intel and links:

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

info@xservus.com https://www.xservus.com

Malware Research So far we’ve setup two honeypots on the internet, these endpoints are unpatched Windows XP SP3

and Windows 7 Sp1 virtual machines that have had their defences disabled and port 445 exposed to

the internet (and disabled the malware kill switch)

On these isolated endpoints we have enabled auditing, logging and are running continual Wireshark

captures to monitor for SMB connections over the internet.

We’ve had these running for hours and have as time of writing not been infected, we have however

had our XP virtual machine hit with malicious SMB traffic which crashed the server service (so it’s

clearly not safe to expose machines directly to the internet).

We’ve started looking at submitted samples, it appears whoever wrote the malware operates a fairly

sensible set of hours:

info@xservus.com https://www.xservus.com

WannaCry Analysis Attack Vector: SMBv1 vulnerability

Exploit: EternalBlue

C2 Communiations: TOR

Payload: Worm & File Encryptor

Propegation: Worm component via SMBv1 exploit

Killswitch: Successful HTTP connection to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com or

www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com disables execution

info@xservus.com https://www.xservus.com

Thanks to @malwareunicorn for this great diagram!

Sinkhole If you have disabled internet access ensure you deploy an accessible web server and create DNS

records which resolve to this as:

o www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com o www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Cleaning Tips • Isolate the workload

• Backup the OS drive (and other drives if you have the capacity)

• Backup additional drives decrypter.exe etc.

• Offline clean the OS drive (and possibly the data drives)

info@xservus.com https://www.xservus.com

• Test the OS and application services

General Endpoint Protection It goes without saying that the following actions go a long way to protecting endpoints:

• Backup

• Patch

• Use firewalls on everything

• Ensure antimalware is deployed, configured as per vendor best practises and up to date

In today world, deploying hardened configurations and patching are a must do. It’s important to

ensure you have the capabilities to secure your business assets and maintain and monitor your

business to ensure your customers and your business assets are protected.