Its seems to be turning into a trend for attackers to strike just before a weekend, anticipating that engineering and cyber security staff are out of office. Friday late afternoon our engineering teams geared up for a busy Mothers Day weekend, courtesy of Wannacry Ransomware. Our various teams put extra measures in place at our managed services clients to limit the risk of infection and the spread of this malware. Our clients who had already deployed MS17-010 patches had some relief, however additional layers of defence in cases where patches were missed were implemented in most cases. Although Forcepoint had already blocked the primary domain associated with the malware, it appears the malware is not proxy aware, so in all likeliness the malware would attempt to bypass the proxy and connect direct. There has been many articles and hype around this new malware due to the fact that it uses the recently released ShadowBrokers Microsoft vulnerabilities to spread. Here are some points to help protect your environment:
- Initial infection was rumoured to be via email with infected attachment, but no samples have been see. Regardless your email defences need to include sandboxing or other technologies to detect this if it does spread via email.
- When the ransomware runs, various EXE’s and files are created – see this Mcafee KB for exact details of the files and registry settings to look out for.
- The malware has a “killswitch”. When it sees the following domain
(hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) is active it quits without encrypting. This will not happen via your proxy, so you will need to look in your DNS logs. New variants appear to use different domains for this function. It is recommended to monitor but not blog this activity.
- The malware will attempt to spread by exploiting vulnerabilities described in MS17-010 – it is best to deploy this patch within your organisation. Microsoft have gone as far as releasing patches for Windows XP and Windows Server 2003. We can expect to see other malware exploiting this vulnerability, so deploying this patch should be HIGH priority.
- Patching is first prize but if you are for some reason unable to apply patches, consider disabling SMBv1. This will prevent the exploit from being remotely exploited.
- Various threat intel sources have details of domains, IP Addresses and file hashes to keep an eye out for.
There is some risk that employees with laptops that do not have the MS17-010 patch, may get infected at their homes over the weekend, and then laptops will be brought back into organisations on Monday, which could then spread the malware further. Again the MS17-010 patch will prevent further spreading in this case.