May 2017 WannaCry Ransomware Campaign
Overview
On May 12th, 2017, a massive ransomware attack was initiated against organizations worldwide. The infection hit tens of thousands of hosts and encrypted their files. The attack uses a malware called WannaCry and an exploit called ETERNALBLUE. There was also a separate ransomware attack taking place at the same time, using a malware called Jaff.
The exploit being used to spread the ransomware in the WannaCry campaign was supposedly part of the NSA hacking toolkit taken by the Shadow Brokers. The exploit is known as ETERNALBLUE and targets a weakness in Microsoft Server Message Block (SMB). This weakness was patched by Microsoft in March of 2017.
Analysis
WannaCry checks to see if a particular domain resolves while running; that domain is, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. This domain should not be blocked. Before May 12th, this domain was not registered. This is not a command and control server for the malware. If the domain resolves, the malware does not run. Shortly after the attack started, a malware researcher registered and sinkholed that domain. This helped prevent a lot of later infections since the malware was able to resolve the domain.
If left to run normally, WannaCry will encrypt most files on a machine. Once the files are encrypted, the user will be prompted to pay $300 in Bitcoin to get their files back. The cost goes up to $600 if the user takes too long to pay, eventually the user will be unable to pay to have their files returned.
The Jaff malware is distributed via PDFs attached to emails. The PDFs typically start with “Copy_” or “Document_” and opening them will prompt the user to open an external file. Once the user agrees to open that file, their system will be encrypted.
Recommendations and Mitigation
As the SMB server vulnerability was primarily used in this attack, installing updates in the Microsoft March 2017 Security Bulletin will resolve the weakness. It is recommended that SMB is disabled until the proper patches can be applied to the system.
To avoid a Jaff infection, instruct users not to open any PDF attachments starting with “Copy_” or “Document_”.
Subscriptions to ActiveTrust standard/plus DNSFW feeds can further protect users from unwanted DNS communications. The DNSFW feeds are proactively curated to maximize DNS protection. Those subscribed to ActiveTrust prior to the attack would have received some level of protection. The compromised domain graficagibin[.]com[.]br was detected and added to ActiveTrust as early as March 31, 2017. This domain was used to deliver the malicious VBScript that kicked off the ransomware infection chain.
Also, use Infoblox’s spambot feed for additional data to block unwanted emails that could be distributing WannaCry and Jaff.
