I’m sure by now, you’ve all heard of the Wannacrypt (Wannacry, and variants) worm actively exploiting Microsoft operating systems. This worm carrying a ransomware payload actively exploits CVE-2017-0145, which is triggered with a specially crafted packet to a targeted SMBv1 server. Microsoft released a fix for this vulnerability on March 14, 2017.
The worm and ransomware utilize multiple vectors, including the use of droppers which attempt to connect to domains with an interesting twist. If the dropper is able to communicate with the domains, the dropper does not attempt to infect the system with ransomware, but instead stops execution.
If Administrators block the dropper domains, prohibiting the dropper from making a successful connection to the domains, the dropper actually continues with the ransomware drop, and attempts to infect other systems.
The two domains from the original variants noted are:
There’s a multitude of technical data out on this specific piece of ransomware, and exploit so we’ll not dive into the gory technical details here.
Many discussions and viewpoints have been tossed around on why this specific exploit, and vector gained traction. Obviously patching would have provided the utmost protection against WannaCrypt, but there can be many reasons that an organization hasn’t yet implemented patches. Perhaps outdated, and/or unsupported operating systems, a lack of security program, policies, understanding, or other inhibiting issues within an organization can all lead to issues. Endpoint security solutions, proper firewall or access controls, along with patching, would prevent WannaCrypt (WannaCry, etc) from exploiting and propagating through-out an organizations infrastructure. It’s not just the organization that needs to be aware of these issues, but also vendors. Microsoft stills ships Windows 10 with SMBv1 enabled by default. While I can respect that legacy scenarios do exist, best practices should be implemented by default with a new operating system, and customers can enable legacy functionality as required.
Red Sky Labs Testing
Red Sky Labs is tasked with testing vendor solutions to validate the efficacy of products, as well as t he operational and use case of products. Red Sky Labs selected several endpoint security vendors already in the lab to test against WannaCrypt. As of the time of writing, the four vendors tested were able to detect and block WannaCrypt from infecting test Windows images. We would expect most if not all vendors to detect this attack/ransomware at this point in time. In fact, this vulnerability/attack isn’t stealthy, nor is it the most elegantly written ransomware, so endpoint security providers who were unable to detect this initially should really look at how their technology works. More information from the vendors tested is included in the links below.
- BitDefender - https://www.bitdefender.com/news/massive-ransomware-attack-targets-more-than-70-countries-bitdefender-customers-have-been-safe-all-along-3289.html
- Cylance - https://www.cylance.com/en_us/blog/cylance-vs-wannacry-wanacrypt0r-2-0.html
- Sentinel One - https://sentinelone.com/blogs/wanacrypt0r-wreaks-havoc-worldwide/
- Palo Alto Traps - http://researchcenter.paloaltonetworks.com/2017/05/palo-alto-networks-protections-wanacrypt0r-attacks/
- Block port 445 at perimeter network points
- Disable SMBv1 unless absolutely required
- Install patches across affected systems
- If you’re infected, use clean-up tools from your vendors, but don’t expect to have your files decrypted
While it may not always be possible to patch, Red Sky Applied Research always recommends ensuring all systems are updated with critical patches as quickly as possible. Along with patches/updates, and endpoint security solutions, strong firewall and traffic controls help prevent internal hosts from sending or receiving SMB to and from the Internet help prevent future SMB based exploits from impacting your systems. A strong security framework with policies, and programs in place, along with education will continue to provide the baseline for building on and increasing an organizations security posture. It’s not always simple to patch a system, but ensuring other mitigating controls which should be in place, are in place helps mitigate against ransomware and exploits using communication channels and exploit vectors to successful infect and propagate within an organizations environment.