WannaCry Ransomware Using SMB Vulnerability

The SMB vulnerabilities within security bulletin MS17-010 are critical vulnerabilities that have also been used to propagate other malware - see Adylkuzz Cryptocurrency Mining Malware (CC-1416).

Threat ID:: CC-1411
Category:: Ransomware
Threat Severity:: High
Threat Vector:: Exploit, Insecure network
Published:: 12 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

The SMB vulnerabilities within security bulletin MS17-010 are critical vulnerabilities that have also been used to propagate other malware - see Adylkuzz Cryptocurrency Mining Malware (CC-1416).

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows: XP, Vista, 7, 8, 8.1 and 10
Windows Server, 2003, 2008, 2008 R2, 2012, 2012 R2 and 2016

Please Note: Patches are available for all systems including Windows XP and Server 2003.

Threat details

These vulnerabilities are highly likely to be used by future malware variants to achieve local and remote network self-propagation. The patching of all affected versions should be prioritised.

This attack was not specifically targeted at the NHS and is affecting many organisations around the world from a range of sectors.

The ransomware is called WannaCry, Wanna Decryptor, Wanna Cryptor, WanaCrypt0r or WCry version 2.0 and spread quickly around the world after it was first detected on 12th May.

The malware encrypts files and provides the user with a prompt which includes a ransom demand, a countdown timer and Bitcoin wallet to pay the ransom into. It uses strong encryption and targets specific often-used files such as documents, videos and pictures. At the time of publication there is no known decryption method.

WannaCry ransomware is propagated using the SMB EternalBlue and DoublePulsar attack methodology (CC-1353) which exploits the SMB vulnerabilities patched in Microsoft Security Bulletin MS17-010. SMB is a legacy protocol used to share files and printers across local networks

This attack methodology leverages unpatched hosts with vulnerable SMB file sharing services to propagate malware through local and remote networks (such as the internet, N3/Transition Network, HSCN & PSN) spreading similar to a worm.

The spread of the malware is dependent on NetBIOS and SMB communication ports being left open on hosts and at perimeter firewalls.

Once a system is infected, the malware first checks whether a specific internet domain, Connectivity to these kills switch domains needs to be maintained to limit the spread of the malware:

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (WannaCry Ransomware)
www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.] com (Uiwix Ransomware)
www[.][iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The malware is not proxy aware: when the malware connects to a kill switch domain via a proxy server, and a successful connection response is identifiable as the proxy server instead of the kill switch domain the malware will execute its payload.

If the malware can connect to a kill switch domain the malware stops running:

We believe the malware looks for the killswitch domain to be active once per day, and if it is present then the malware ceases to deploy the malicious elements, i.e. the machine will not cryptolock and the malware will not spread.
At this stage of infection, Anti-Virus software with the latest malware signatures installed should be able to detect and remove the virus before further damage can be caused.

If the malware cannot connect to the kill switch domain:

The payload is executed and the encryption and self-propagation process begins.
At this stage of infection infected machines will need to be quarantined and rebuilt to remove the malware.

The malware randomly generates internal and external IP addresses and attempts to initiate communications. If a host is found with open NetBIOS ports, three NetBIOS session setup packets are sent.

The malware sends SMB packets containing the exploit shell code and an encrypted payload.

During these communications the malware utilises two hardcoded IP addresses (192.168.56.20, 172.16.99.5) to communicate.

Note: General information about this ransomware outbreak is available on the National Cyber Security Centre website:

https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance

Update 07 Aug 2018

New ransomware has been observed that calls itself 'WannaCryV2.' At the time of publication there is no evidence of a link between this ransomware and WannaCry.

Threat updates

Date	Update
7 Aug 2018	New ransomware has been observed that calls itself 'WannaCryV2.' At the time of publication there is no evidence of a link between this ransomware and WannaCry.

Remediation steps

Type	Step
	Ensure that the two kill switch domains are not blocked by firewalls because they stop some variants of the malware from running: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (WannaCry Ransomware) www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.] com (Uiwix Ransomware) www[.][iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com Organisations who have disconnected from the internet or who maintain a proxy server are recommended to implement a local webserver which resolves via local DNS servers (or via configuration of local host files) to the kill switch domains. This will limit the spread of WannaCry and Uiwix Ransomware. Ensure all systems are protected with the latest AV definitions If your network becomes infected immediately report it to your AV provider for investigation and patching Ensure your AV software is kept updated with the very latest security definitions, to detect current and evolving strains of this malware. Confirm with your AV provider that they have rolled out virus definitions which are supported by your organisation's operating systems to protect you from the spread of this malware (especially if your organisation is running out of support operating systems). Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) and manually run scans on critical areas such as servers and shared network file storage. SMB Vulnerability Remediation Note: Remediating the vulnerability does not remove an existing infection - any infected system may require quarantining, rebuilding to patched standard and redeploying. Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment Use a Port scanner to confirm UDP 137, 138 and TCP 139, 445 are locked down Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. For further information see Microsoft Customer guidance for WannaCry attacks Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems. Follow Microsoft's guidance How to verify that MS17-010 is installed If it is not possible to apply this patch then block SMB related ports (UDP 137, 138 and TCP 139, 445) across your organisation's network or disable SMB If your organisation has SMB port 445 exposed on any system then review if this is operationally necessary (including the use of NetBIOS ports UDP 137 & 138 and NetBIOS over TCP/IP TCP Ports 137 & 139) as SMB and NetBIOS are both legacy protocols that may no longer be required within your environment. If you are using SMBv1 in your environment (which is now 30 years old) and lacks security features of later version migrate to a more secure SMB version as described in the Microsoft Blog - Stop using SMB1 Advice to NHS staff NHS Staff are advised to ensure their home computers have Windows automatic updates enabled and AV software installed which is automatically updated with the latest definitions. This will help protect their personal computers and the wider internet community at large. Securing RDP If RDP is not used then ensure: Port 3389 is blocked at your internet firewall If RDP is used: Ensure only authorised users are granted RDP permissions. Authorised users have a strong password. RDP connections are protected with multifactor authentication. For additional security only allow RDP to run through VPN connections. Ransomware Remediation For full ransomware remediation please see the Best Practice Guide Ransomware - Controls to avoid infection. It is not recommended to pay any ransom; there is no guarantee that paying a ransom will unlock the encrypted files or that the integrity of the files will be maintained. It could additionally increase the likelihood of your organisation being targeted in future campaigns. Responding to an Outbreak This section is designed to help organisations respond to an outbreak and consists of two section (1) Containment and Eradication and (2) Recovery. 1) Containment and Eradication Because the malware is able to self-propagate to vulnerable local and remote computers the following containment and Eradication activities should be performed. These actions can be broken down into a number of work streams which can be performed across different teams: Stream 1 - Identify and quarantine all systems infected with the malware. Immediately quarantine all newly identified infected systems. Clearly label all quarantined devices and do not reconnect them to the network until they have been reimaged, patched and updated with the latest AV definitions. Identify basic file IOC's on quarantined machines: Identify if files are encrypted with .wncry and .uiwix or if files are encrypted with a different fill extension. Use offline AV scanners such as Windows Defender Offline with up to date detection signatures to scan quarantined machines. Ensure users report all infections to the IT helpdesk. Infected devices should be immediately disconnected from the network and investigated by an IT analyst. Identify all shared network storage the logged in user of the infected machine has access to and search these file shares for IOC (Indicator of Compromise) files: File extension: .wncry and .uiwix Ransom note name: @[email protected] If IOC files are found on shared network storage: If file auditing is enabled: identify users that wrote IOC files to the share. More info If file auditing is not enabled: attempt to manually identify users that wrote IOC files to the share. More info Set up a file screening rule and alert on shared network storage to identify system administrators whenever an IOC file is written to a network share. File extension: .wncry and .uiwix Ransom note name: @[email protected] By using Windows File Server Resource Manager FSRM (or the equivalent for your file storage servers or SAN's operating system) you can identify IOC files as they’re written and capture the name of the logged in user and computer the IOC file was written by. Immediately quarantine all newly identified infected computers Examine network connections for attempts to access the kill switch domains - this is a sign of an infection on your network - Note: The malware does not specify a user agent (null) when it connects to these domains. Monitor connections attempts to the two hardcoded IP addresses within the malware: 192.168.56.20 & 172.16.99.5 Stream 2 – Patch the vulnerability that enables malware to propagate throughout a network. Apply the “SMB Vulnerability Remediation” Stream 3 – Ensure all systems are updated with the latest AV (Anti-Virus) definitions Apply the “Ensure all systems are protected with the latest AV definitions” remediation Stream 4 - Implement additional technical controls to prevent the malware from propagating Update Intrusion Detection Systems (IDS) signatures to identify and block connections to the two hardcoded IP Addresses: 192.168.56.20 & 172.16.99.5 Ensure connectivity is maintained to the kill switch domain - See the kill switch domain remediation. 2) Recovery Cleaning quarantined machines Scenario 1 - For machines where the initial infection is present but are not cryptolocked (i.e. where the malware has successfully connected to a kill switch domain and now remains in a dormant state). Anti-Virus software with the latest malware signatures installed may be able to detect and remove the virus before further damage can be caused. Confirm with your antivirus provider that the latest .dat files are available and updated to address this specific threat. Use offline AV scanners such as Windows Defender Offline with up to date detection signatures to scan quarantined machines. Scenario 2 - For cryptolocked machines Fully reimage/rebuild to patch standard (including MS17-010) , protect with the latest AV definitions and redeploy. Further information see the Best Practice Guide: Ransomware - Preparing for an Outbreak

Type

Step

Ensure that the two kill switch domains are not blocked by firewalls because they stop some variants of the malware from running:

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (WannaCry Ransomware)
www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.] com (Uiwix Ransomware)
www[.][iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Organisations who have disconnected from the internet or who maintain a proxy server are recommended to implement a local webserver which resolves via local DNS servers (or via configuration of local host files) to the kill switch domains. This will limit the spread of WannaCry and Uiwix Ransomware.

Ensure all systems are protected with the latest AV definitions

If your network becomes infected immediately report it to your AV provider for investigation and patching
Ensure your AV software is kept updated with the very latest security definitions, to detect current and evolving strains of this malware.
Confirm with your AV provider that they have rolled out virus definitions which are supported by your organisation's operating systems to protect you from the spread of this malware (especially if your organisation is running out of support operating systems).
Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) and manually run scans on critical areas such as servers and shared network file storage.

SMB Vulnerability Remediation

Note: Remediating the vulnerability does not remove an existing infection - any infected system may require quarantining, rebuilding to patched standard and redeploying.

Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment
Use a Port scanner to confirm UDP 137, 138 and TCP 139, 445 are locked down
Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. For further information see Microsoft Customer guidance for WannaCry attacks
Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems.
Follow Microsoft's guidance How to verify that MS17-010 is installed
If it is not possible to apply this patch then block SMB related ports (UDP 137, 138 and TCP 139, 445) across your organisation's network or disable SMB
If your organisation has SMB port 445 exposed on any system then review if this is operationally necessary (including the use of NetBIOS ports UDP 137 & 138 and NetBIOS over TCP/IP TCP Ports 137 & 139) as SMB and NetBIOS are both legacy protocols that may no longer be required within your environment.
If you are using SMBv1 in your environment (which is now 30 years old) and lacks security features of later version migrate to a more secure SMB version as described in the Microsoft Blog - Stop using SMB1

Advice to NHS staff

NHS Staff are advised to ensure their home computers have Windows automatic updates enabled and AV software installed which is automatically updated with the latest definitions. This will help protect their personal computers and the wider internet community at large.

Securing RDP

If RDP is not used then ensure:

Port 3389 is blocked at your internet firewall

If RDP is used:

Ensure only authorised users are granted RDP permissions.
Authorised users have a strong password.
RDP connections are protected with multifactor authentication.
For additional security only allow RDP to run through VPN connections.

Ransomware Remediation

For full ransomware remediation please see the Best Practice Guide Ransomware - Controls to avoid infection.

It is not recommended to pay any ransom; there is no guarantee that paying a ransom will unlock the encrypted files or that the integrity of the files will be maintained. It could additionally increase the likelihood of your organisation being targeted in future campaigns.

Responding to an Outbreak

This section is designed to help organisations respond to an outbreak and consists of two section (1) Containment and Eradication and (2) Recovery.

1) Containment and Eradication

Because the malware is able to self-propagate to vulnerable local and remote computers the following containment and Eradication activities should be performed. These actions can be broken down into a number of work streams which can be performed across different teams:

Stream 1 - Identify and quarantine all systems infected with the malware.

- Immediately quarantine all newly identified infected systems.
  - Clearly label all quarantined devices and do not reconnect them to the network until they have been reimaged, patched and updated with the latest AV definitions.
  - Identify basic file IOC's on quarantined machines: Identify if files are encrypted with .wncry and .uiwix or if files are encrypted with a different fill extension.
  - Use offline AV scanners such as Windows Defender Offline with up to date detection signatures to scan quarantined machines.
  - Ensure users report all infections to the IT helpdesk. Infected devices should be immediately disconnected from the network and investigated by an IT analyst.
  - Identify all shared network storage the logged in user of the infected machine has access to and search these file shares for IOC (Indicator of Compromise) files:
  - - File extension: .wncry and .uiwix
    - Ransom note name: @[email protected]
  - If IOC files are found on shared network storage:
  - If file auditing is enabled: identify users that wrote IOC files to the share. More info
  - If file auditing is not enabled: attempt to manually identify users that wrote IOC files to the share. More info
  - Set up a file screening rule and alert on shared network storage to identify system administrators whenever an IOC file is written to a network share.
  - - File extension: .wncry and .uiwix
    - Ransom note name: @[email protected]

By using Windows File Server Resource Manager FSRM (or the equivalent for your file storage servers or SAN's operating system) you can identify IOC files as they’re written and capture the name of the logged in user and computer the IOC file was written by. Immediately quarantine all newly identified infected computers

- Examine network connections for attempts to access the kill switch domains - this is a sign of an infection on your network - Note: The malware does not specify a user agent (null) when it connects to these domains.
- Monitor connections attempts to the two hardcoded IP addresses within the malware: 192.168.56.20 & 172.16.99.5

Stream 2 – Patch the vulnerability that enables malware to propagate throughout a network.

- Apply the “SMB Vulnerability Remediation”

Stream 3 – Ensure all systems are updated with the latest AV (Anti-Virus) definitions

- Apply the “Ensure all systems are protected with the latest AV definitions” remediation

Stream 4 - Implement additional technical controls to prevent the malware from propagating

- Update Intrusion Detection Systems (IDS) signatures to identify and block connections to the two hardcoded IP Addresses: 192.168.56.20 & 172.16.99.5
- Ensure connectivity is maintained to the kill switch domain - See the kill switch domain remediation.

2) Recovery

Cleaning quarantined machines

Scenario 1 - For machines where the initial infection is present but are not cryptolocked (i.e. where the malware has successfully connected to a kill switch domain and now remains in a dormant state).

Anti-Virus software with the latest malware signatures installed may be able to detect and remove the virus before further damage can be caused.

Confirm with your antivirus provider that the latest .dat files are available and updated to address this specific threat.
Use offline AV scanners such as Windows Defender Offline with up to date detection signatures to scan quarantined machines.

Scenario 2 - For cryptolocked machines

Fully reimage/rebuild to patch standard (including MS17-010) , protect with the latest AV definitions and redeploy.

Further information see the Best Practice Guide: Ransomware - Preparing for an Outbreak

Last edited: 17 February 2020 11:41 am