WanaCry: Frequently Asked Questions

There are many questions surrounding the WanaCry ransomware attack that started on May 12, 2017. In order to provide some quick answers to common questions and dispel some misconceptions, we are providing this list of frequently asked questions. We will keep this updated as new details emerge. For a more in-depth look at WanaCry, refer to our blog - <a href="https://www.anomali.com/blog/wanacry">WanaCry Observations: Big Worm = Big Problems</a>.[Last updated 12:55pm ET, May 19, 2017]<ul><li>Is there a new variant in the wild?<ul><li>Researchers have found many similar malware samples that have surfaced but many of these have turned out to be simply edited versions of the WanaCry malware from the May 12th weekend. So far none of the new samples that have been discovered have been as effective as the version making the news and some don't even appear to work properly.</li></ul></li><li>Did the WanaCry infections start via a phishing campaign?<ul><li>There are theories that WanaCry was originally started through phishing emails but so far there has not been any evidence to support this theory. Currently, it is unknown exactly how the WanaCry infections began.</li></ul></li><li>How does WanaCry spread?<ul><li>WanaCry spreads primarily over SMB by taking advantage of a Microsoft vulnerability associated with the ETERNALBLUE NSA exploit released by the Shadow Brokers. Microsoft released a patch for this vulnerability for supported versions of Windows in March 2017 and even released a patch for Windows XP and Windows 2003 on Friday, May 12, 2017. WanaCry will attempt to spread over the internal network and attempt to connect to random hosts on the Internet via SMB over ports TCP 139 and TCP 445.</li></ul></li><li>Is it still active?<ul><li>As of May 19, 2017 WanaCry is still actively spreading according to the <a href="https://intel.malwaretech.com/botnet/wcrypt" target="_blank">WanaCry botnet tracker at MalwareTech</a>. It shows over 350,000 affected IPs globally.</li></ul></li><li>What is the “killswitch” domain mentioned in conjunction with WanaCry?<ul><li>WanaCry attempts to connect to a specific domain when it starts up and if it can connect to this domain, it terminates. This may be functionality to prevent analysis in sandboxes or other malware research environments which are often configured to return responses for any domain requests. Killswitch domains known to be associated with WanaCry have been registered and are hosted by researchers.</li></ul></li><li>Does access to the killswitch domain mean WanaCry won’t work?<ul><li>If the WanaCry malware is able to reach its associated killswitch domain, it will terminate instead of encrypting files.</li></ul></li><li>What if access to the killswitch domain is blocked?<ul><li>If access to the WanaCry killswitch domain is blocked by a security tool or due to network configuration, the infections inside the organization will succeed since it receives no reply from the killswitch domain. The fix for this is to whitelist the domain so connections can succeed or setup an internal DNS record for the killswitch domain and point it to an internal host.</li></ul></li><li>What if a proxy is required at my organization to get to the Internet?<ul><li>WanaCry does not have proxy support so if a proxy is required to reach the Internet, communication to the killswitch domain (as well as infection attempts to Internet hosts) will fail. In these situations, an administrator can create a DNS record for the killswitch domain and point it to an internal host to facilitate the killswitch functionality in WanaCry.</li></ul></li><li>What are all the bitcoin addresses being used for payment?<ul><li>So far the following bitcoin addresses have been associated with WanaCry:<ul><li><a href="https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" target="_blank">13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94</a></li><li><a href="https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" target="_blank">12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw</a></li><li><a href="https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" target="_blank">115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn</a></li></ul></li><li>310 payments have been made totaling over $93,000 to these bitcoin wallets</li></ul></li><li>Can I decrypt my files without paying?<ul><li>Adrien Guinet announced on Twitter that he was able to recover the private key from a WanaCry infection from memory. He built a tool to do this at <a href="https://github.com/aguinet/wannakey" target="_blank">https://github.com/aguinet/wannakey</a>. Benjamin Delpy, the creator of the Mimikatz security tool, built a tool based on Guinet’s discovery which attempts to automate the decryption process: <a href="https://github.com/gentilkiwi/wanakiwi" target="_blank">https://github.com/gentilkiwi/wanakiwi</a>. There are some caveats for the tool to work however: it only works on XP and potentially Windows 7, the computer must not have been rebooted since initial infection, and even if those criteria are met there is no guarantee it will work.</li></ul></li><li>How can attacks like this be prevented?<ul><li>The ability of malware to spread quickly through networks on its own is often facilitated by an unpatched vulnerability. That is the case with WanaCry. Patching critical vulnerabilities that can lead to remote code execution (RCE) in a timely manner will help to avoid exposure to malware that takes advantage of these vulnerabilities to spread. For WanaCry specifically, refer to the <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" target="_blank">Microsoft bulletin, MS17-010</a> for relevant patch information.</li><li>Preventing access from the Internet directly to computer systems is another key mitigation that would help mitigate WanaCry infections. Systems exposed directly to the Internet make them candidates for infections like WanaCry. In this case, allowing SMB connections over port TCP 445 from hosts on the Internet helps WanaCry spread.</li><li>For internal networks, splitting hosts into separate segments such that communications aren't wide open between the segments can help prevent the rapid spread of malware infections internally. This can be done through Access Control Lists (ACLs) on routers, firewall filtering, or even physical separation between networks. Having an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) between segments of internal hosts can help provide protection and visibility as well.</li><li>Updated antivirus software on every host can help against these kinds of infections too. While AV may miss initial detections when the malware is new, applying updated signatures as they become available can help protect against the malware as time goes on.</li></ul></li><li>Is anything known about who created/deployed WanaCry?<ul><li>Officially there is not a specific actor or group that has been accused of creating or launching the WanaCry malware. There is currently <a href="https://www.washingtonpost.com/world/global-markets-shrug-off-fears-after-massive-cyberattack/2017/05/15/16265198-3958-11e7-9e48-c4f199710b69_story.html" target="_blank">speculation that North Korea</a> may be behind it but the evidence is so far circumstantial. UPDATE: The malware does include reference to an email address (wanna18 at hotmail.com), a couple of Dropbox links, and other interesting strings but thus far researching these has not led to public identification of a potential suspect.</li></ul></li><li>If someone pays, do they actually get access to their files again?<ul><li>There have been reports of people making the requested payment and receiving access to their files. However, just because this may have been the case with others, there are no guarantees that payment will yield access to the files encrypted by WanaCry.</li></ul></li><li>My computer got infected, now what?<ul><li>If you've been compromised we recommend taking the following steps:<ul><li>1) take the infected host offline</li><li>2) restore to the latest non-infected backup</li><li>3) apply the Microsoft patch: MS17-010</li><li>4) reconnect the host to the network</li></ul></li></ul></li><li>Were there previous versions of the WanaCry malware before May 12th?<ul><li>There appear to be two previous versions seen in the wild of what eventually became the ransomware sent on May 12th. The first in February of 2017 that lacked the modularity of the later version and did not have the ability to propagate itself. The second version showed up in late March and included several improvements. Most notably it had the ability to copy itself to network shares but still lacked a mechanism to force execution once copied. The most recent version is the one that hit on May 12th.</li></ul></li><li>Can we expect more attacks like this?<ul><li>Historically speaking, the MS08-067 vulnerability led to lots of use for years after its release. There are still systems today that haven’t been patched against this vulnerability. The MS17-010 vulnerability has the same qualities that MS08-067 has: remote code execution, no user interaction required, affects a large swath of systems, and it has reliable exploit code in the wild. This combination along with the vibrant underground for cyber criminals suggests there will be many more iterations of malware that try to leverage this vulnerability as there are plenty of unpatched systems to take advantage of. These may or may not also take the form of ransomware. There are already reports of additional malware in the wild taking advantage of MS17-010.</li><li>The main exploit leveraged in WanaCry comes from an NSA tool called ETERNALBLUE that was released by The Shadow Brokers in April. There are other tools in that release that are reportedly being used in the wild as well such as recent reports of the use of ESTEEMAUDIT. While still bad, this tool only targets older versions of Windows (Windows 2003 & Windows XP) over the Remote Desktop Protocol (RDP).</li><li>Staying ahead of any future developments is recommended for situational awareness and so proper defensive actions can be taken. Keeping an eye on this and other security blogs as well as other sources of threat intelligence is the best way to keep an ear-to-the-ground and stay on top of the ever changing threat landscape</li></ul></li><li>Which countries were hit hardest by this, and why?<ul><li>Based on information from <a href="https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all" target="_blank">MalwareTechBlog</a>, who has been capturing attempts to connect to the WanaCry killswitch domain since Friday, the two countries hit the hardest so far are <a href="https://www.nytimes.com/2017/05/14/world/europe/russia-cyberattack-wannacry-ransomware.html" target="_blank">Russia</a> and <a href="https://www.nytimes.com/2017/05/15/business/china-ransomware-wannacry-hacking.html?_r=0" target="_blank">China</a>. This is not surprising due to the popularity of unlicensed and unpatched Windows in those countries.</li></ul></li><li>I’m hearing about other malware spreading like WanaCrypt, what about those?<ul><li>Several other malware attacks have been reported recently that also leverage the ETERNALBLUE/MS17-010 exploit.</li><li>Adylkuzz - This is a malware that is a cryptocurrency miner to essentially turn infected hosts into miners to generate money for the actors responsible for it (this is done in the background so users are unaware they are infected). It also leverages ETERNALBLUE and DOUBLEPULSAR like WanaCrypt. It is not destructive or ransomware but interestingly it does close off SMB communication to prevent further infection.</li><li>Uiwix ransomware - Another ransomware that has appeared which leverages the ETERNALBLUE/MS17-010 exploit. This ransomware is still being investigated by researchers.</li><li>ETERNALROCKS (aka BlueDoom) - This malware also leverages the ETERNALBLUE/MS17-010 exploit among others but is designed to be a modular malware that can perform a number of functions on an infected host. It is not ransomware and so far only seems to infect hosts and set them up for later activities.</li></ul></li><li>Are there other vulnerabilities from The Shadow Brokers we should be concerned about?<ul><li>Most of The Shadow Brokers released exploits are older and have already been patched - with the notable exception of the recently patched, ETERNALBLUE exploit (MS17-010). There are three other exploits for older versions of Windows or other Microsoft software that have not been patched - ENGLISHMANDENTIST, ESTEEMAUDIT, and EXPLODINGCAN. Microsoft has released a<a href="https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/" target="_blank"> blog</a> about these. As an example, ESTEEMAUDIT only works on Windows 2003 or Windows XP over RDP (Remote Desktop Protocol). See the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9073" target="_blank">CVE-2017-9073</a> reference for more details on this one.</li></ul></li><li>What about the backdoor I’ve heard referenced in relation to WanaCry?<ul><li>As part of the infection process, WanaCry looks for the presence of the DOUBLEPULSAR backdoor (another NSA tool leaked by The Shadow Brokers along with ETERNALBLUE). If it finds it, it uses it to propagate itself. If not, it installs it during the infection process. It’s important to note that although WanaCry will install the DOUBLEPULSAR backdoor, it is only present in memory and will disappear upon reboot.</li></ul></li></ul>