Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles


#6624: Synopsis on WannaCry Ransomware Campaign

May 2017 WannaCry Ransomware Campaign

On May 12th, 2017, a massive ransomware attack was initiated against organizations worldwide. The infection hit tens of thousands of hosts and encrypted their files. The attack uses a malware called WannaCry and an exploit called ETERNALBLUE. There was also a separate ransomware attack taking place at the same time, using a malware called Jaff.

The exploit being used to spread the ransomware in the WannaCry campaign was supposedly part of the NSA hacking toolkit taken by the Shadow Brokers. The exploit is known as ETERNALBLUE and targets a weakness in Microsoft Server Message Block (SMB). This weakness was patched by Microsoft in March of 2017.

WannaCry checks to see if a particular domain resolves while running; that domain is, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. This domain should not be blocked. Before May 12th, this domain was not registered. This is not a command and control server for the malware. If the domain resolves, the malware does not run. Shortly after the attack started, a malware researcher registered and sinkholed that domain. This helped prevent a lot of later infections since the malware was able to resolve the domain.
If left to run normally, WannaCry will encrypt most files on a machine. Once the files are encrypted, the user will be prompted to pay $300 in Bitcoin to get their files back. The cost goes up to $600 if the user takes too long to pay, eventually the user will be unable to pay to have their files returned.

The Jaff malware is distributed via PDFs attached to emails. The PDFs typically start with “Copy_” or “Document_” and opening them will prompt the user to open an external file. Once the user agrees to open that file, their system will be encrypted.

Recommendations and Mitigation
As the SMB server vulnerability was primarily used in this attack, installing updates in the Microsoft March 2017 Security Bulletin will resolve the weakness. It is recommended that SMB is disabled until the proper patches can be applied to the system.

To avoid a Jaff infection, instruct users not to open any PDF attachments starting with “Copy_” or “Document_”.

Subscriptions to ActiveTrust standard/plus DNSFW feeds can further protect users from unwanted DNS communications. The DNSFW feeds are proactively curated to maximize DNS protection. Those subscribed to ActiveTrust prior to the attack would have received some level of protection. The compromised domain graficagibin[.]com[.]br was detected and added to ActiveTrust as early as March 31, 2017. This domain was used to deliver the malicious VBScript that kicked off the ransomware infection chain.

Also, use Infoblox’s spambot feed for additional data to block unwanted emails that could be distributing WannaCry and Jaff.

Showing results for 
Search instead for 
Did you mean: