worthwhilems17-010

GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage1of292017NTTSecurityNTTSecurityMonthlyThreatReportMay2017ContentsGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage2of292017NTTSecurity1Introduction.
32MultipleSMBVulnerabilities–MS17-010.
43WannaCry:MoreQuestionsThanAnswers.
54WannaCry:RoadtoRecovery.
84.
1LossofOperationalCapability.
104.
2DataLoss.
104.
3Ransomwareisa"Breach"104.
4AnOunceofPreventionOnlyGetsYouanOunceofProtection114.
5RansomwareRecommendations.
115WannaCryAttackAnalysis125.
1Summary.
125.
2WannaCryCharacteristics.
135.
3WannaCryInstallationDetails136WannaCry/WCryThreatResearchReport.
146.
1AnalysisFindings.
156.
2Conclusion.
196.
3Recommendations.
207Characteristics,IndicatorsandSignatures207.
1WannaCryFileCharacteristics.
207.
2WannaCryConfigurationDetails227.
3WannaCryTechnicalIndicators237.
4WannaCry,DoublePulsarandEternalBlueSignatures278References29GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage3of292017NTTSecurity1IntroductionInApril2017,cybercriminalgroupShadowBrokersleakedsupposedNSAhackingtools.
Thisleakincludedzero-dayexploits,customhackingframeworks,backdoorimplants,scanningtoolsandmore.
ThisleakleddirectlytoglobaldistributionoftheWannaCryransomware.
OneofthebackdoorimplantsincludedinthisreleaseisDOUBLEPULSAR.
ThisbackdooristheprimarypayloadinServerMessageBlock(SMB)andRemoteDesktopProtocol(RDP)vulnerabilitiesleveragedbytheNSA'sFuzzBunchsoftware,anexploitationframeworksimilartoMetasploit.
Thisbackdoor,ifsuccessfullyinstalled,isdesignedtoremainundetected.
Itcanbeusedtoconductfurtheroperationsoninfectedsystems,includingleveragingleakedzero-days,exfiltratingdataandmovinglaterallythroughanetwork.
TheNTTSecurityGlobalThreatIntelligenceCenter(GTIC)identifiedseveraldetectionsforthesignaturesandindicatorsofcompromise(IOCs)relatedtoWannaCry.
ThisreportdetailstheresultsoftheGTIC'sdataanalysis.
TheGTIChasalsoprovidedhigh-levelanalysisoftheWannaCrycampaign,withemphasisonboththechallengeswithdefinitiveattribution,aswellasthelongroadtorecoveryifinfectedwithWannaCry(oranyotherransomware).
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage4of292017NTTSecurity2MultipleSMBVulnerabilities–MS17-010ThreatStatus:CriticalCVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147Severity:Critical(CVSS:10.
0)Date:May13,2017RemediationDetails:Microsoftreleasedapatchtoaddressthesevulnerabilities.
Ifpatchingisnotpossible,disableSMBv1asatemporaryworkaround.
AffectedVersions:WindowsVistax64EditionServicePack2WindowsServer2008for32-bitSystemsServicePack2WindowsServer2008forx64-basedSystemsServicePack2WindowsServer2008forItanium-basedSystemsServicePack2Windows7for32-bitSystemsServicePack1Windows7forx64-basedSystemsServicePack1WindowsServer2008R2WindowsServer2008R2forx64-basedSystemsServicePack1WindowsServer2008R2forItanium-basedSystemsServicePack1Windows8.
1for32-bitSystemsWindows8.
1forx64-basedSystemsWindowsServer2012andWindowsServer2012R2WindowsServer2012WindowsServer2012R2WindowsRT8.
1Windows10for32-bitSystemsWindows10forx64-basedSystemsWindows10Version1511for32-bitSystemsWindows10Version1511forx64-basedSystemsWindows10Version1607for32-bitSystemsWindows10Version1607forx64-basedSystemsWindowsServer2016forx64-basedSystemsWindowsServer2008for32-bitSystemsServicePack2(ServerCoreinstallation)WindowsServer2008forx64-basedSystemsServicePack2(ServerCoreinstallation)GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage5of292017NTTSecurityWindowsServer2008R2forx64-basedSystemsServicePack1(ServerCoreinstallation)WindowsServer2012(ServerCoreinstallation)WindowsServer2012R2(ServerCoreinstallation)WindowsServer2016forx64-basedSystems(ServerCoreinstallation)AnalystNote:MicrosoftreleasedapatchtoaddressmultiplevulnerabilitiesfoundintheMicrosoftServerMessageBlock(SMB)server.
Alllistedvulnerabilitiesareratedascritical,andremotecodeexecutionispossible.
ExploitationreliesonanunauthenticatedattackersendingamalformedpackettargetingtheSMBv1server.
ThehackergroupShadowBrokersleakedseveralNSAtools,andETERNALBLUEwasoneoftheexploitsthatdisclosedduringtheleak.
ETERNALBLUEtakesadvantageofthevulnerabilitiespatchedwithMicrosoftSecurityBulletinMS17-010.
OnMay122017,aglobalransomwarecampaigntargetedendpointsaroundtheworld.
Thisransomwarevariant,dubbedWannaCryorWCry,usedtheETERNALBLUEexploittocompromisemachines.
TheWannaCryransomwareisawormwhichselfpropagatesusingtheETERNALBLUEvulnerability.
TheWannaCryransomwareisonlythebeginning,asseveralvariantsareemergingasofthetimeofthiswriting.
MicrosoftpatchedallvulnerabilitiesrelatedtoETERNALBLUEinMarch2017.
DuetothethreatofthesevulnerabilitiesMicrosofthasreleasedanout-of-bandpatchforoperatingsystemslikeWindowsXPwhichMicrosoftnolongerofficiallysupports.
Aworkaroundtothisvulnerabilityexists.
DisableSMBports139and445ifdisablingthoseportswillnotadverselyaffectyouroperations.
IfSMBisbeingusedinyourenvironment,blockinboundtrafficoverports139and445.
3WannaCry:MoreQuestionsThanAnswersOver98percentofWannaCryvictimswererunningunpatchedversionsofWindows7.
ThisislikelydueinparttothefactthatETERNALBLUEneverworkedproperlyonXP,anditappearsthetool'sworm-likeabilitytoinfectadditionalcomputersonthesamenetworkwithouthumaninterventionwasdesignedforWindows7.
WannaCrywasalsodiscoveredtobeunsuccessfulinpropagatingonolderversionsoftheWindowsOS,includingXP.
Pleasenotethecommondenominatorofthoseinfected,irrespectiveofWindowsversion:theywereUNPATCHED.
SystemsthathadappliedthepatchesfromMicrosoftSecurityBulletinMS17-010wereunaffectedbytheexploitsassociatedwiththedistributionofWannaCry.
WannaCryrapidlybecameoneofthelargestcyberattackstodate,havinginfectedover200,000hostsaroundtheglobe,WannaCryappearstohavespreadthroughinternet-wideSMB(fileshares)ratherthanphishingemails,asinitiallythought.
Andthesagacontinues.
Asofthiswriting,thereappeartobemanymorequestionsthananswers–particularlywithregardstomotivationandattribution.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage6of292017NTTSecurityOnthesurface,thisattackbearsthehallmarksofacybercriminalcampaigndesignedtomakemoney.
Thiscampaignhasonlynettedafractionoftheamountexpected,consideringthenumberofinfectedmachines.
Also,withthewaytheransomdemandsarehard-codedintotheWannaCryransomware,themotivationbehindthecampaignisinquestion.
Asofthiswriting,lessthan$121,000hasbeenpaidtotheattackers.
Attributionisalsounderintenseinvestigationfromgovernmentaswellasprivatesectorsecurityresearchersaroundtheglobe.
Threatactorsoftenreusecodeavailableinthewild,especiallyasacoverandtodeflectblame,makingdefinitiveattributionevenmoredifficult.
Inaddition,conductingcyberoperationstomeetobjectivesareincreasinglyusedbyALLthreatactors(e.
g.
,cybercriminals,nation-stateactors,etc.
).
Cyberoperationsareoftendesignedtobe:Cost-effective.
Asymmetric.
Or,putanotherway,theyareameanstoobtaininga"levelplayingfield"whentargetingthoseofsignificantlygreatercapabilities.
Deniable.
Deniabilitylimitsthepossibilityofpunishment(e.
g.
,arrestinthecaseofthecybercriminal,sanctionsinthecaseofthenation-stateactor).
So,"obviousclues"aren'tnecessarilyalltheyappeartobe.
Initialreporting,shortlyfollowingtheShadowBrokersleakonApril14,suggestedcybercriminalsfromRussiaandChinawerequicklyjumpingtotakeadvantagethesesophisticatedoffensivecyberweapons,includingseveralzero-dayexploits.
Attemptstoleveragetoolsassoonaspossibleafterdiscoveryisnothingnew.
Whenzero-dayvulnerabilitiesoroldervulnerabilitiesremainunpatchedonsystems,threatactorsofalllevelswilltrytotakefulladvantage.
ResearchersarecontinuingtoinvestigatewhethertheseChineseandRussianthreatactorswerestate-sponsored,butthespeedatwhichtoolswereweaponizedanddeployeddoindicatecapabilitieswhichareonthemoreadvancedsideofthescale.
Aquestionresearcherscontinuetoaskis,"WhichthreatactorswereultimatelyresponsiblefortheWannaCrycampaign"PreliminaryfindingssuggestthattheLazarusGroup,widelybelievedtobeassociatedwithNorthKoreanthreatactors,mayhavehadahandintheWannaCrycampaign.
Researchershavefoundevidenceofcommonalitiesinthecode,aswellasinthetechniquesandinfrastructureused.
Thesetechniquesincludeadditionaltools(e.
g.
,Destover,Volgmer)usedinattackspreviouslyattributedtotheLazarusGroup.
Someresearchersfoundevidenceofchatterrelatedtotheseattacksindarkwebforumsbeforetheyhappened,asisoftenthecase.
Opensourceanddarkwebanalysisidentifiedchatteraboutthesetools,whichindicatesresearchers(andlikelyactorswithmaliciousintent),aredownloadingandanalyzingthesetools.
Itispossiblethatadditionaltoolsarebeingprimedfordeployment,asmanymoreexperiencedthreatactorsarequicktoweaponizethesetypesoftools.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage7of292017NTTSecurityAsacaseinpoint,WannaCrywasnottheonlycampaigntargetingvulnerabilitiesinSMBtoemergefromtheleakedNSAtools.
Infact,onetooldubbedAdylkuzzhittheproverbialstreetsthreeweeksbeforeWannaCry.
Designedtogenerate"digitalcash"viaMonerocryptocurrencyminingoperations,Adylkuzz,unlikeWannaCry,wasn'tquicklydiscovered,asitallowedthecomputertooperatealmostnormally(aslightdegradationofserverperformancewasnoted)whileminingoperationsraninthebackground.
Inaddition,itblockedotherSMBexploits–includingWannaCry–perhapsevenlimitingWannaCry'sinfectionrate.
SinceAdylkuzzwasminingMonerospecifically,thisoperationcouldbeeffortstobumpupthevalueofthiscryptocurrency.
MoneroissimilartoBitcoin,butisnotaspopularandhasenhancedanonymitycapabilities.
EternalRockswasyetanothercampaignwhichleveragedsevenNSAtoolsexploitingSMBweaknesses.
PartofthebeautyofthismalwarewasthatitdisguiseditselfasWannaCrytofoolmitigationefforts,thoughinsteadofdroppingransomware,itgainsanunauthorizedfootholdonavictimhostforfutureexploitation.
(Note:TheEternalRocksauthorhasdiscontinueddevelopmentandhadtakenthecodeoffline.
)AlthoughbothAdylkuzzandEternalRockscanbedetectedwiththesamesignaturesasWannaCry,theyaremoredifficultfortheenduser,astheydonotencryptthefilesystemanddisplayaransomnote.
CulpabilityandmotivesmaybeunknownforWannaCry,butpatchesareavailablefortheseexploits.
Thesepatches,alongwithbestpractices–ataveryminimum–areyourbestdefenseagainstthesetoolsatthistime.
Thereisgoodnewsthough,shouldyoubecomeinfected:theWanakiwidecryptiontoolisavailable,potentiallyallowingvictimstorecoverfileswithoutpayingaransom.
ThisdecryptorisreportedlyeffectiveonallWindowsoperatingsystems.
Thereisonecatch,though–itworksonlyonsystemsthathavenotbeenrebootedpost-infection.
(NOTE:NTTSECURITYMAKESNOGUARANTEESASTOTHEEFFECTIVENESSOFDECRYPTIONTOOL,ANDUSERSSHOULDPROCEEDWITHCAUTIONANDLEVERAGETHESETOOLSATTHEIROWNRISK.
)Asanadditionalprecaution,pleasenotethatthereareseveralfakedecryptiontoolswhichexistasmentionedintheGTIC'sseparatearticleinthisreport,WannaCry:RoadtoRecovery.
InadditiontotherecommendationsoutlinedinWannaCry:RoadtoRecovery,itmayalsobeworthwhiletoblacklistknownTorIPs,and,needlesstosay,immediatelyremoveanyinfectedcomputerfromthenetwork.
FullindicatorsforWannaCryandassociatedattackscanbefoundinthisreportinsection7:Characteristics,IndicatorsandSignatures.
Inaddition,evenifyouhaveyourSMBandCIFSapplicationshardened,beawarethatthesamemalwarecanbedistributedviaalternatemeans,soensureyoursystemsareuptodateonallpatchesandallbestpracticesforsecuritymeasuresarefollowed.
Themoralofthestoryisthis:opportunistichackersWILLtakeadvantageofthetoolsfromthesecontinuedleaks,alongwithallothervulnerabilitieswhichtheydiscovertheirtargetshavenotyetpatched.
Therearemanyreasonswhyorganizationsandindividualsdonotpatchtheirsystems,butthreatactorsdon'treallycareexactlywhythosesystemsareunpatched,justthattheyare.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage8of292017NTTSecurityExpectmoreclassifiedtools(includingzero-dayvulnerabilities)tobereleasedviaoutletssuchastheShadowBrokersandWikiLeaks.
Avarietyofthreatactorswillquicklyacquirenewlyreleasedtools,weaponize,anddeploythem.
Infact,ShadowBrokersauthoredablogpostwheretheypromisedtoreleasetoolseachmonth,beginninginJune2017,toanyonewillingtopayforaccess.
GiventhesuccesseswesawwithWannaCryandtheotherexploitswhichtookadvantageoftheunpatchedSMBvulnerability,weshouldnotbesurprisedtoseeShadowBrokershavesomesuccessinsellingfutureaccess.
NTTSecurityfullyexpectscontinuedrepurposingofthesetools,especiallyassystemsworldwideremainunpatched.
Thebadguysarecountingonit.
4WannaCry:RoadtoRecoveryBeginningonFriday,May12,theWannaCryransomwarecampaignblanketedover200,000workstationsaroundtheworldwithanimagesimilartothisone:Figure1.
WannaCry/WCryransomdemandpageTheattackleftindividualsandenterprisesreelingasthestaggeringimplicationssettledin.
Sadly,manyorganizationswerenotpreparedforaransomwareattack,andevenworse,forsomevictims,theransommessage"Send$300worthofbitcoin"mightaswellhavebeeninanunintelligiblelanguage.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage9of292017NTTSecurityWhileblockchainexpertsmaythinknothingofpurchasingcryptocurrency,totheeverydayemployee,thistasksoundsdaunting,ifnotimpossible.
NTTSecurityevaluatedwhetherobtaining$300worthofbitcoinwasevenpossibleinthetimeframeallottedbytheWannaCryransomware.
Totestthis,NTTSecurityrananexperimentmeasuringtheamountoftimeitwouldtakesomeonetobuytherequiredcryptocurrency.
Theexperimentwouldbeconductedbysomeonewithathoroughknowledgeofcryptocurrencyandtheblockchain,thenrepeatedbysomeonewithvirtuallynoknowledgeoftheblockchain.
Ineachiteration,userswouldperformthesametasks.
Uponcompletionoftheexperiment,thetimeswouldbecomparedtoevaluatewhetherobtaining$300worthofbitcoinwaspossible.
1.
First,thetestsubjectwouldneedtosetupanaccountata(legitimate)cryptocurrencyexchange.
2.
Second,hewouldberequiredtocompleteallverificationandsetupprocedures.
3.
Third,hewouldhavetoadda(real)fundingsource.
4.
Andfinally,thetestsubjectwouldneedtoverifyhisidentitytoincreasehisbuylimits.
Onceallfourstepsarecomplete,theusershouldthenbeatapointwherehecanpurchaseenoughbitcointopaytheransomdemand.
Theblockchainexpertcompletedalltasksin9minutes,28seconds.
Unfortunately,theenduserwhowasunfamiliarwiththeblockchainwasunabletocompletethetask,havingmademistakeswhileintheprocessofaccountverification.
Thisresultedina24-hourholdontheuser'scryptocurrencyexchangeaccount.
Oncetheuserwasfinallyabletologintotheexchange,hewouldnothavebeenabletopurchasetheappropriateamountofbitcoininthetimeallotted(sevendays),asthetestsubjecthadlinkedhisbankaccountasopposedtoacreditcard(Purchasingbitcoinviabanktransfer,asopposedtopurchasewithcreditcard,cantake7-14days).
Mostcybersecurityexpertswilltellyouthatpayingtheransomisnotrecommended,andwithWannaCry,thisiscertainlythecase.
TheGTICwasunabletoverifythatanyfileshadbeendecrypted,evenafteraffecteduserspaidtheransom.
Infact,theWannaCryransomwarecampaignhassignificantflaws,andresearcherswonderiftheattackerseverplannedtodecryptanyofthecomputersinfected.
SowhyrunthetestWewantedtosimulatethedifficulty(andfrustration)involvedwithrecoveringfromaransomwareattack,especiallyoneforwhichtheenduser(ororganization)isnotprepared.
Thetestwasconductedinacontrolledenvironmentandtheendusertestsubjectwaslikelynotasstressedas,say,abusinessownerwouldbehadhelostallhiscriticallyimportantfiles.
Itisimportanttocommunicatehowcrucialitistobepreparedforsuchanattack.
Beyondthefrustrationoftryingtolearnanewtechnology(i.
e.
,blockchain),andthefollow-onconcernofmakingthepayment,aransomwareattacksaddlesthevictimwithmuchmore"topay"thansimply$300.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage10of292017NTTSecurityAndtheuninformedendusermaybemoreapttorelyonsearchenginequeryresultsforgatheringinformationonhowtopaytheransom.
Theseresultscanleaduserstofakedecryptors,potentiallyexacerbatingtheproblem.
4.
1LossofOperationalCapabilityWannaCryinfectedentirenetworks,renderingsomethemallbutuseless.
Forthoseorganizationsnotpreparedforaransomwareattack,operationscametoagrindinghalt.
Whenanorganizationlosesoperationalcapabilityduetoaransomwareattack,employeescan'twork,theorganizationcannotselltheirproductsandservices,cannotpayformaterialsandservicesneededtokeeptheirorganizationrunningandtheyare"deadinthewater.
"Ifthebusinesscannotcontinuetofunction,cashflowstops,whichisbadforanybusiness.
4.
2DataLossIntheeventofaransomwareattack,it'sprobablybesttoassumethatyourdataisgoneforever.
Honoringthedemandto"Payus$300inbitcoin"doesnotguaranteeyouwillreceiveadecryptionkeytounlockyourfiles,andthechanceofgettingallyourdatabackisslim.
Andlet'snotforgethowexpensivedataloss,byitsverynature,canbe.
Ifyourorganizationcompletelylosesdata,expectthefollowing:1.
You'regoingtolosecustomers.
a.
Thiscouldbeforavarietyofreasons:i.
Youlostinvoicedata,meaningyoudon'tknowwhichcustomersoweyouwhatamountofmoneyforyourgoodsandservices.
ii.
Youlostpersonallyidentifiableinformation(PII),violatingyourcustomers'trust.
2.
You'regoingtohavetopaytogetyourfilesback.
a.
WhileNTTSecuritydoesnotrecommendpayingtheransom,thatmaybethe"cheapest"waytounlockyourfiles–thatis,ifthecriminalcomesthroughontheirpromisetoprovideadecryptionkey.
InthecaseofWannaCry,youwouldsimplybeoutyour$300(or$600ifyouwaiteduntilthreedayshadpassedsincetheinfection).
b.
Toreiterate,thereisnoguaranteeyouwillreceivethekeytodecryptyourfiles,sopayingtheextortionmayjustbethrowingawaymoney.
4.
3Ransomwareisa"Breach"Whetherornotyoupaytheransom,yourorganizationneedstotreattheransomwareasabreach.
Attheveryleast,youhaveidentifiedmalwareonorganizationalresources.
Youcannotsimplypaytheransomandmoveon.
Andyouobviouslycannotignorethattheransomwareispresent.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage11of292017NTTSecurityRegardlessofotheroutcomes,theorganizationmustreimagesystems,andtreattheinfrastructureasifithasbeencompromised.
Thatmaymeanoutsourcedservices,itmaymeanrestoringfrombackups,anditmaymeanreinstallingsystems,buttheorganizationneedstotakeactionstopurgethemalwareandassociatedbreachfromitsenvironment.
Afterall,theransomwareyouknowaboutmaynotbetheonlymalwareinstalledinyourenvironment.
Andifindustrybreachnotificationrulesapplytoyou,theykickinthesecondyougetthatinternalnotificationorthesecondthat"paybitcoins"noticepopsup.
4.
4AnOunceofPreventionOnlyGetsYouanOunceofProtectionThereisnosinglesolutiontobepreparedforaransomwareattack.
Ifyourorganizationfallsvictimtoransomware,youwillbegladyouwereprepared,butitwilltakeworktoensureyouareprepared,andthisworkmusttakeplacebeforetheattackhappens.
Implementonlyoneortwoofthebelowrecommendations,andyouwillhaveanincompletepreparationmodel.
Figure2.
Ransomwareattackpreparationmodel4.
5RansomwareRecommendations1.
Ensureyouestablishafeasiblepatchmanagement(andupgrade)program.
a.
IntheexampleofWannaCry,thecampaigntargetedvulnerabilitiesinmanysystemsthathadreachedend-of-life(EOL)andwerenolongersupportedbytheoriginalGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage12of292017NTTSecuritymanufacturer.
Inotherwords,partofyourpatchmanagementprogrammustincludeperiodicauditsofthesystemsinyourenvironmenttodeterminewhetherthosesystemscanbepatchedoriftheyshouldbedeprecated.
b.
Whenitcomestopatching,installpatchesinyourenvironmentassoonasisfeasible.
2.
Implementacompletebackupsolution.
a.
Storebackupsbothon-siteandoff-site.
b.
RememberbackupsarenotJUSTaboutthedata.
Whilethedataisimportant,theorganizationmustconsidertheabilitytoaccessandusethatdata.
Thatmeansensuringtheorganizationretainsbackupcopiesofanyapplicationsbeingused,aswellasrequiredoperatingsystemsandanykeysorlicensesuponwhichthosethingsrely.
c.
Whenselectingabackupsolution,keepinmindthe"CIAtriad".
i.
Confidentiality–Isthedataprotectedandaccessibleonlytothosewhorequireaccessii.
Integrity–Canthedatabetrustediii.
Availability–Ifrevertingtoabackupisneeded,howaccessiblearethosebackupsHowlongwillittaketobeoperationalifrevertingtobackupsisrequiredd.
And,rememberthatyourbackupisonlyasgoodaswhatyoucanrestore.
OrganizationsshouldtesttheirbackupANDRESTOREprocesstoensurethatthedataandsystemsarerecoverable.
3.
Train(andtest)yourendusers.
a.
WannaCry,thoughitinfectedover200,000systems,waslikelynotdeliveredviaaphishingemail;however,mostransomwarevariantsaredeliveredviaphishingemails.
b.
Trainyourenduserstospotthemostcommonsignsofphishingemails.
i.
Ifpossible,trainuserswithphishingemailswhichtargetedyourcompany,oranindustrypeer.
c.
Testyourusers'abilitytoidentifyandreportphishingemails.
i.
Thisisnota"gotcha"toseewhofallsforit.
Itisaself-correctingactionthatwillallowyourorganizationtodeterminetheeffectivenessofthispartofyourendusertraining.
Remember,securityisnotalwaysconvenient,aseveryrecommendationabovewillbe"inconvenient"insomeway,butwhenyou'reattacked,you'llbegladyouwereready.
5WannaCryAttackAnalysis5.
1SummaryTheWannaCryransomwareisaworm-likemalwarewhichspreadsbyexploitingtheleakedNSAexploitETERNALBLUE.
ThegroupknownastheShadowBrokersreleasedthemalwareintothewild.
Themalwareencryptsfiles,dropsandexecutesadecryptortool,displaysaransomnoticeforeither$300or$600payablewithBitcoin,andusesTorforC2channels.
ItbecameextremelyprevalentinMay2017GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage13of292017NTTSecurityandcrippledmanyorganizationsforseveraldays.
WindowssystemswhichhavebeenfullypatchedwithMS17-010arenotexploitable.
5.
2WannaCryCharacteristicsGTICresearcherstookadetailedlookatWannaCryandthefileswhichmakeitup.
GITCalsousedseveralSnortandPaloAltosignaturesinthemalwareanddataanalysisaswellasongoingmonitoring.
Thesecharacteristicsappearinthisreportinsection7:Characteristics,IndicatorsandSignatures.
Aspartofthisanalysis,GTICresearchersanalyzedtheprogressionofaWannaCryattack.
5.
3WannaCryInstallationDetails1.
WannaCrystartsbytryingtoaccessakillswitchdomain.
Ifaccesstothedomainsucceeds,thenthemalwareimmediatelyexits.
Ifaccesstothedomainfails,thencommandlineargumentsarechecked.
Ifnoargumentswerepassed,thenthemalwarecontinueswithinstallation;otherwise,itentersservicemode.
2.
Inservicemode,WannaCryscansthesubnetitison,thenattemptstospreaditselftoavailablehostsviaETERNALBLUE.
Forinstallation,themalwarecreatesaservicenamedmssecsvc2.
0withabinarypathpointingtotherunningmodulewitharguments"-msecurity".
Oncecreated,themalwarestartsthecreatedservice.
Themalwarethenwritestasksche.
exetoC:\WINDOWS,executesitwith"/i"argumentthenmovesC:\WINDOWS\tasksche.
exetoC:\WINDOWS\.
3.
Runningwiththe/iargument,themalwarewilltrytocreatethemutexGlobal\MsWinZonesCacheCounterMutexA0.
Ifitfailstocreatethemutex,itwillreinstallitselfandtryagain.
Ifthatfails,itwillcontinueasnormal.
Withoutthe/icommand,WannaCrywilldropitsencryptioncomponentandbegintheprocessofencryptingthemachine'sfiles.
4.
Oncethemalwarecompletesencryptingthedesktopanddocumentsfolder,itexecutesthefollowingcommands:taskkill.
exe/f/imMicrosoft.
Exchange.
\*taskkill.
exe/f/imMSExchange\*taskkill.
exe/f/imsqlserver.
exetaskkill.
exe/f/imsqlwriter.
exetaskkill.
exe/f/immysqld.
exe5.
Itthenstartsencryptingfilesfoundonlogicaldrivesattachedtothesystem.
Themalwareexecutes"cmd.
exe/cstart/b@WanaDecryptor@.
exevs",copyingthedecryptortoeachusers'desktopfolder.
6.
Thedesktopwallpaperissettoa@WanaDecryptor@.
bmpimage,andthefollowingdialogueboxisdisplayed:GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage14of292017NTTSecurityFigure3.
WannaCrydialoguebox7.
CommunicationwiththethreatactorsisaccomplishedviaanonionrouterusingaTorserverrunningonthelocalhostport9050.
6WannaCry/WCryThreatResearchReportWiththepublicleakoftheseNSATools,theGTICanalyzedlogsprovidedbysecurityappliancesinclients'networkstoidentifydetectionscorrelatingtotheNSAleak.
Withthisapproach,theGTICgathereddatadetailingseveralSnort,FortigateandPaloAltoalerts,aswellasalertsincludingIPaddressesfromWannaCryIoCs.
TheGTICanalyzedtherawdataandincludedtheimportantfindingsinthisdocument.
Pleasebeaware:Thisisongoinganalysis,asNTTSecurityresearchersarecontinuingtoanalyzeseveralofthepayloadsacquiredfromSnortandothersources.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage15of292017NTTSecurity6.
1AnalysisFindings6.
1.
1PreliminaryDataStatisticsGTICresearchershaveobservedWannaCryrelatedactivitywiththecontextshowninthistable.
SubjectSummaryAffectedIndustriesFinanceManufacturingGovernmentEducationHealthCareBusinessServicesTechnologyEnergy&UtilitiesRetailNon-ProfitHospitalityFood/BeverageConstruction/RealEstateTimeframeFebruary7–May23SecurityAppliancesSnortPaloAltoFortigateCiscoASASonicFirewallJuniperNetworksJunOSPlixerScrutinizerTrendMicroDeepDiscoveryDirectionofTrafficInbound,OutboundGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage16of292017NTTSecuritySubjectSummaryWell-KnownPortsIdentified445(ServerMessageBlock)80(HTTP)123(NTP)9001(TOR)909053(DNS)443(HTTPS)137(NetBIOS)139(NetBIOS)22(SSH)NumberofForeignIPAddresses386TypesofTraffic/AttacksSuccessfulSMBPingResponsesProcessInjectionCommandsSuccessfulProcessInjectionResponsesSinkholeConnectionsProtocolsTCPICMPUDPTheGTIChasincludedallsignaturesandindicatorsrelatedtoWannaCryinthisreportinsection7:Characteristics,IndicatorsandSignatures.
6.
1.
2SignatureDetectionFindingsandAnalysisWannaCryleveragesETERNALBLUEtoexploitavulnerabilityinMicrosoft'sSMBprotocol.
WhileGTICanalysisofETERNALBLUEdidnotdetectWannaCry-specificactivity,analystsdidobserveandanalyzeseveralsignaturesrelatedtoETERNALBLUEandDOUBLEPULSAR.
DetectionofthesesignaturesishighlightedinFigure4.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage17of292017NTTSecurityFigure4.
AttackintentiongraphtimelineAsshowninFigure4,theuseofDOUBLEPULSARwasconsistentfromlateAprilthroughMay10,followedbyasignificantincreaseindetectionsonMay12.
ThesedetectionsincludeSMBpingresponses,whichweredetectedwhilethreatactorsconductedreconnaissance,attemptingtoidentifypubliclyavailablesystemswiththebackdooralreadyinstalled.
FromApril28-May1andonMay5,analystsobserveddetectionsforbothSMBprocessinjectioncommandsandsuccessfulinjectionresponses,indicatingthreatactorswereattemptingtoleveragethoseexistingbackdoors.
OnMay10,attemptstousetheETERNALBLUEexploit(CVE-2017-0144,CVE-2017-0146)werebrieflydetected,withnearly400attemptsobservedbeforesubsiding.
OnMay11and12,theGTICobservedsignificantspikesinSMBprocessinjectioncommandsandresponsesleveragingDOUBLEPULSAR.
AlthoughanalystsdidnotobservespecificWannaCryinfectionsviaIDS/IPSimplementations,thisactivitysuggeststhreatactorsarecontinuingattemptstoidentifycompromisedsystemsandleveragethebackdoorfornefariouspurposes.
6.
1.
3IndicatorsofCompromise(IOC)DetectionsandAnalysisTheGTICcollectedseveraldifferentIOCsrelatedtoWannaCryinfections.
Theseincludedhashes,domains,C2domains,registrykeys,filenames,IPv4addresses,andmore.
AnalystsidentifiedandevaluatedseveralIPaddressesbasedonMSSPdetections.
Theseindicatorsarecollectedinthisreportinsection7:Characteristics,IndicatorsandSignatures.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage18of292017NTTSecurityFigure5providesanoverviewofIOCIPv4addressperMSSPdata.
Pleasenote,195.
22.
26.
248wasremovedduetoitssheerlogcountandsinceitwasidentifiedasasinkhole,thatIPaddresswasusedasafocalpointtoredirectmalicioustraffictoforanalysis.
Figure5.
LogcountperIOCIPv4addressAnalysisindicatesnoneoftheseIPv4addressesconductedactivityrelatedtotheuseofDOUBLEPULSARorETERNALBLUE;however,theGTICfocusedonrequeststo7319[.
]m8374[.
]net/0.
0.
9andp45pfvm2fhnvx23yiddqrrm[.
]com[:]9001.
The7319[.
]m8374[.
]net/0.
0.
9domainresolvesto195.
22.
26.
248,whichbelongsClaranetPortugalTelecomunicacoesS.
A.
ofPortugal.
43percentofoutboundtrafficwasdestinedtothisspecificURL.
AccordingtopassiveDNSandShodanresults,thisIPappearstobeasecurityresearchersinkhole.
TheGTICdeterminedDNSwastheprimaryprotocolfortrafficsenttothisIPoraresolvingdomain.
ThisindicatorwasgatheredfromISCSANSCenter.
AsshowninFigure5,mostofthedetectionsrelatedtotheIPv4IOCsweredirectedatthesinkhole,195.
22.
26.
248.
Thebubblechart(Figure6),isusedtodescribethepurposeoftheserverwiththespecificIPv4addressfoundinbothMSSPdetectionsandtheWannaCryIOClistprovidedbytheGTIC.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage19of292017NTTSecurityFigure6.
IOCpurposeandvolumeAdditionally,traffictop45pfvm2fhnvx23yiddqrrm[.
]comcaughtourattentionbecausethedestinationportspecifiedwas9001,typicallyusedforTortraffic.
Trafficforthiswascaughtbyafirewallanddidnotindicateanyfurthermaliciousactivity;however,theGTICdiscoveredthatWannaCryusesToraddressesforC2channels,alsonotingthatthisdomainresolvesto149.
202.
160.
69,identifiedasaWannaCryC2server.
6.
2ConclusionBasedonthedataanalyzed,theGTICdidnotidentifyspecificWannaCrydetections;however,GTICdidanalyzedetectionsrelatedtoactivitygeneratedpriortoorafterWannaCryinfections.
Pleasebeawarethattrafficto195.
22.
26.
248doesnotautomaticallysuggestaWannaCryinfectionbutmayindicatedifferentmalwareorpotentiallyunwantedprograms(PUPs).
Asofthiswriting,leveragingofSMBandSAMBAexploitscontinuedtorisewiththereleaseofWannaCryspin-offEternalRocksandCVE-2017-7494beforethedeveloperpulleditfromrelease.
Organizationsarehighlyencouragedtoreviewandimplementtherecommendationsbelow.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage20of292017NTTSecurity6.
3Recommendations6.
3.
1Mitigation,IdentificationandEradicationDeployingpatchMS17-010isessentialtomitigatingthisthreat,asitaddressesseveraloftheexploitsleakedbyShadowBrokersearlierthisyear,includingETERNALBLUE.
ThereisreportedlyadecryptionprogramavailableforWannaCrywhichworksforusersrunningWindows7orearlier.
Theinstructionsforthedecryptordirecttheusertonotrestarttheirmachine.
Thisdecryptionprogram,Wanakiwi,rebuildstheencryptionkeyfromprimenumbersleftinmemoryonWindowsversionsXPthrough7.
Theprogramcanbefoundathttps://github.
com/gentilkiwi/wanakiwi.
CountercepthasalsocreatedaPythonscript(availableonGithub)toidentifyanderadicatetheDOUBLEPULSARbackdoorifdroppedduringtheETERNALBLUEexploit.
(NOTE:NTTSECURITYMAKESNOGUARANTEESASTOTHEEFFECTIVENESSOFEITHEROFTHEABOVETOOLS,ANDUSERSSHOULDPROCEEDWITHCAUTIONANDLEVERAGETHESETOOLSATTHEIROWNRISK.
)7Characteristics,IndicatorsandSignatures7.
1WannaCryFileCharacteristicsFILENAME24d004a104d4d54034dbcffc2a4b19a04703480b1022c.
exeFILESIZE3723264bytesFILETYPEPE32executable(GUI)Intel80386,forMSWindowsMD5db349b97c37d22f5ea1d1841e3c89eb4SHA1e889544aff85ffaf8b0d0da705105dee7c97fe26SHA25624d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022cSHA512d6c60b8f22f89cbd1262c0aa7ae240577a82002fb149e9127d4edf775a25abcda4e585b6113e79ab4a24bb65f4280532529c2f06f7ffe4d5db45c0caf74fea38CRC321457555570SSDEEP98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:wDqPe1Cxcxk3ZAEUadzR8yc4gBCompileTime03:08.
0Version6.
1.
7601.
17514(win7sp1_rtm.
101119-1850)OriginalFilenamelhdfrgui.
exeAuthorMicrosoftCorporationDescriptionMicrosoftDiskDefragmenterGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage21of292017NTTSecurityFILENAMEtasksche.
exeFILESIZE3514368bytesFILETYPEPE32executable(GUI)Intel80386,forMSWindowsMD584c82835a5d21bbcf75a61706d8ab549SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aaSHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244CRC321154904451SSDEEP98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gBCompileTime05:05.
0Version6.
1.
7601.
17514(win7sp1_rtm.
101119-1850)OriginalFilenamediskpart.
exeAuthorMicrosoftCorporationDescriptionDiskPartFILENAMEf351e1fcca0c4ea05fc44d15a17f8b36.
exeFILESIZE65536bytesFILETYPEPE32executable(DLL)(GUI)Intel80386,forMSWindowsMD5f351e1fcca0c4ea05fc44d15a17f8b36SHA17d36a6aa8cb6b504ee9213c200c831eb8d4ef26bSHA2561be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830SHA512c139bddae3571cac3d832535e0c3bc6d817b86fb3f7b68864d1b94e9c37b38856f2eeeb49c16f2fb8fee45e6a7c95bc67072443b7428034b6def10d3f724ca22CRC322897727361SSDEEP768:edWOTdghGl7Lu/qGrN5r5UF9sBaho9S4AJKqBz8MZK8IgpkCamlniZfO:PGdghGleSGh5resN9S4A3jHaqniZfOCompileTime12:55.
0Version6.
1.
7600.
16385(win7_rtm.
090713-1255)OriginalFilenamekbdlv.
dllGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage22of292017NTTSecurityAuthorMicrosoftCorporationDescriptionLatviaKeyboardLayoutFILENAME@WanaDecryptor@.
exeFILESIZE245760bytesFILETYPEPE32executable(GUI)Intel80386,forMSWindowsMD57bf2b57f2a205768755c07f238fb32ccSHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9CRC324211736213SSDEEP3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCoCompileTime19:35.
0Version6.
1.
7601.
17514(win7sp1_rtm.
101119-1850)OriginalFilenameLODCTR.
EXEAuthorMicrosoftCorporationDescriptionLoadPerfMonCounters7.
2WannaCryConfigurationDetails24d004a104d4d54034dbcffc2a4b19a04703480b1022c.
exe–LoaderandWormComponentHash:MD5-db349b97c37d22f5ea1d1841e3c89eb4ActionWritesloadertodiskProcessCreatesmssecvc2.
0serviceforpersistenceC:\Users\Emily\AppData\Local\Temp\24d004a104d4d54034dbcffc2a4b19a04703480b1022c.
exe-msecurityGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage23of292017NTTSecuritytasksche.
exe–LoaderHash:MD5-84c82835a5d21bbcf75a61706d8ab549ActionWrittentoC:\ProgramData\\tasksche.
exeProcess1Createsserviceforpersistencecmd.
exe/c"C:\ProgramData\\tasksche.
exe"ServiceNameisthesameastherandomvalueProcess2C:\Logs\@WanaDecryptor@.
exeCreatesaregistryvalueforpersistenceKey:HKLM\SOFTWARE\WANACRYPTORValue:WdData:C:\ProgramData\Unavailable–EncryptorHash:MD5–f351e1fcca0c4ea05fc44d15a17f8b36@WanaDecryptor@.
exe–DecryptorHash:MD5–7bf2b57f2a205768755c07f238fb32cc7.
3WannaCryTechnicalIndicatorsThefollowingtechnicalindicatorsprovidedetailsaboutcharacteristicsofthismalware.
Theseindicatorscanbeusedtoenhancedetectioncapabilitiesofnetworkdevicesifdetectionsignaturesarecreatedandimplemented.
IPaddressesandthoseusingthemaretypicallytransientinnature,sowhileblockingoffendingIPaddressesisasmallsteptowardimprovingsecurity,youcannotaffordtojust"blockitandforgetit.
"IPADDRESSES2.
3.
69.
209148.
244.
38.
101213.
61.
66.
11750.
7.
161.
218149.
202.
160.
6946.
101.
142.
174193.
23.
244.
244163.
172.
149.
15546.
101.
166.
19188.
166.
23.
127171.
25.
193.
962.
210.
124.
124146.
0.
32.
144195.
22.
26.
24891.
121.
65.
179GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage24of292017NTTSecurityIPADDRESSES128.
31.
0.
39197.
231.
221.
22191.
219.
237.
229144.
76.
92.
176198.
96.
155.
3C2IPADDRESSESANDPORTS188.
166.
23.
127:443193.
23.
244.
244:4432.
3.
69.
209:9001146.
0.
32.
144:900150.
7.
161.
218:900162.
138.
10.
60:900182.
94.
251.
227:443213.
239.
216.
222:44351.
255.
41.
65:900186.
59.
21.
38:443198.
199.
64.
217:44383.
169.
6.
12:9001192.
42.
115.
102:9004104.
131.
84.
119:443178.
254.
44.
135:9001163.
172.
25.
118:22217.
79.
179.
77128.
31.
0.
39213.
61.
66.
116212.
47.
232.
23781.
30.
158.
22379.
172.
193.
3289.
45.
235.
2138.
229.
72.
16188.
138.
33.
220DOMAINSgx7ekbenv2riucmf.
onionbcbnprjwry2.
netxanznp2kq.
com57g7spgrzlojinas.
onionbqmvdaew.
netchy4j2eqieccuk.
comxxlvbrloxvriy2c5.
onionsxdcmua5ae7saa2.
netlkry2vwbd.
com76jdd2ir2embyv47.
onionrbacrbyq2czpwnl5.
netju2ymymh4zlsk.
comcwwnhwhlz52maqm7.
onionow24dxhmuhwx6uj.
net43bwabxrduicndiocpo.
netgraficagbin.
com.
brfa3e7yyp7slwb2.
comsdhjjekfp4k.
comdyc5m6xx36kxj.
netwwld4ztvwurz4.
comiuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.
comgurj5i6cvyi.
netbqkv73uv72t.
comsqjolphimrr7jqw6.
onionCURRENTLYKNOWNKILLSWITCHDOMAINSwww.
lazarusse.
suiche.
sdfjhgosurijfaqwqwqrgwea.
comGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage25of292017NTTSecurityCURRENTLYKNOWNKILLSWITCHDOMAINSwww.
iuqerxxxdp9ifjaposdfjhgosurijfaewrwergwea.
comwww.
ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.
comwww.
udhridhfowhgibe9vheiviehfiehbfvieheifheih.
comwww.
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.
comwww.
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.
comFILEHASHES0345782378ee7a8b48c296a120625fd439ed8699ae857c4f84befeb56e72736609a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c924d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d9824A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B7957c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a778e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db93356409cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a139e60269c5038de8956a1c6865ebea8627a440a6e839f61e940a8d5f2c6ea49829fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage26of292017NTTSecurityFILEHASHESed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed662d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b172af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906ba93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693ceb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd42c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5bfb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7ce18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fbf8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a05a00c320754934782ec5dec1d5c0476246c2781b88f58bc6b0da24ec71dd0282b4e8612d9f8cdcf520a8b2e42779ffa31dab68b11824153b4c975399df0354f3c6375f586a49fc12a4de9328174f0c146d140a0eb13582852b5f778bb20cf0e509c41ec97bb81b0567b059aa2f50fe854a116ff80df6e6031059fc3036464df5bef35496fcbdbe841c82f4d1ab8b7c2638f9235d038a0a001d5ea7f5c5dc4ae7f7ccaa16fb15eb1c7399d422f8363e880a2af99fd990567869e9cf4039edf73GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage27of292017NTTSecurityFILEHASHES84c82835a5d21bbcf75a61706d8ab54986721e64ffbd69aa6944b9672bcabb6d8db349b97c37d22f5ea1d1841e3c89ebb7f7ad4970506e8547e0f493c80ba441bec0b7aff4b107edd5b9276721137651c39ed6f52aaa31ae0301c591802da24bc61256583c6569ac13a136bfd440ca09d6114ba5f10ad67a4131ab72531f02dadb349b97c37d22f5ea1d1841e3c89eb4f107a717f76f4f910ae9cb4dc5290594f9992dfb56a9c6c20eb727e6a26b0172f9cee5e75b7f1298aece9145ea80a1d24fef5e34143e646dbf9907c4374276f5775a0631fb8229b2aa3d7621427085ad7bf2b57f2a205768755c07f238fb32cc8495400f199ac77853c53b5a3f278f3e8dd63adb68ef053e044a5a2f46e0d2cdb0ad5902366f860f85b892867e5b1e87e372d07207b4da75b3434584cd9f3450f529f4556a5126bba499c26d6789224015c8af3e260cc12caa2389125ec36aeb4da1f312a214c07143abeeafb695d9040180a1ef9ffe70d09f5aee65c9e3d2c4FILENAMES@wanadecryptor@.
exe!
WannaDecryptor!
.
exerrr.
exe@Please_Read_Me@.
txtmssecsvc.
exemssecsvc.
exe7.
4WannaCry,DoublePulsarandEternalBlueSignaturesThesignaturesinthissectionarenotnecessarilyWannaCryspecific,butwhenhuntingforinfectionsinyournetwork,itisimportanttotakenoteofthesesignatures,asthreatactorsareactivelytargetingtheassociatedvulnerabilities.
GlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage28of292017NTTSecuritySnortIDSnortMessage42329MALWARE-CNCWin.
Trojan.
Doublepulsarvariantsuccessfulpingresponse42330MALWARE-CNCWin.
Trojan.
Doublepulsarvariantsuccessfulinjectionresponse42331MALWARE-CNCWin.
Trojan.
Doublepulsarvariantprocessinjectioncommand42916MALWARE-CNCWin.
Trojan.
ETERNALBLUEvariantechorequest42917MALWARE-CNCWin.
Trojan.
ETERNALBLUEvariantechoresponse41978OS-WINDOWSMicrosoftWindowsSMBremotecodeexecutionattempt42944OS-WINDOWSMicrosoftWindowsSMBremotecodeexecutionattempt30770FILE-PDFFoxitReaderCFFCharStringsbufferoverflowattempt30771FILE-PDFFoxitReaderCFFCharStringsbufferoverflowattempt2024207ETEXPLOITPossibleSuccessfulETERNALROMANCEMS17-010-WindowsExecutableObserved2024208ETEXPLOITPossibleETERNALROMANCEMS17-0102024212ETEXPLOITPossibleETERNALCHAMPIONMS17-010SyncRequest(set)2024213ETEXPLOITPossibleETERNALCHAMPIONMS17-010SyncResponse2024217ETEXPLOITPossibleETERNALBLUEMS17-010HeapSpray2024218ETEXPLOITPossibleETERNALBLUEMS17-010EchoResponse2024219ETEXPLOITPossibleETERNALROMANCEMS17-010HeapSpray2024220ETEXPLOITPossibleETERNALBLUEMS17-010EchoRequest(set)2024297ETCURRENT_EVENTSETERNALBLUEExploitM2MS17-01012024298ETTROJANW32/WannaCry.
RansomwareKillswitchDomainHTTPRequest22024299ETTROJANW32/WannaCry.
RansomwareKillswitchDomainHTTPRequest32024300ETTROJANW32/WannaCry.
RansomwareKillswitchDomainHTTPRequest42024301ETTROJANW32/WannaCry.
RansomwareKillswitchDomainHTTPRequest52024302ETTROJANW32/WannaCry.
RansomwareKillswitchDomainHTTPRequest12024291ETTROJANPossibleWannaCryDNSLookupGlobalThreatIntelligenceCenter(MonthlyThreatReport–May2017)UNCLASSIFIED-EXTERNALPage29of292017NTTSecuritySnortIDSnortMessage22024293ETTROJANPossibleWannaCryDNSLookup32024294ETTROJANPossibleWannaCryDNSLookup42024295ETTROJANPossibleWannaCryDNSLookup52024296ETTROJANPossibleWannaCryDNSLookupPaloAltoIDPaloAltoMessage12096DoublePulsar.
GenCommandandControlTraffic8Referenceshttps://upload.
wikimedia.
org/wikipedia/en/1/18/Wana_Decrypt0r_screenshot.
pnghttps://www.
forbes.
com/sites/leemathews/2017/05/15/wannacry-ransomware-copycats-fake-decryptor/#638446ba3429https://technet.
microsoft.
com/en-us/library/security/ms17-010.
aspxhttps://www.
proofpoint.
com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-ETERNALBLUE-doublepulsar