WannaCry Ransomware

WannaCry Ransomware

Infection Chain

Key Messages

  • Trend Micro first detected WannaCry/Wcry 14-April-2017. The initial variant (RANSOM_WCRY.C) was typically distributed via phishing attacks that then had users downloading the malware from Dropbox. This initial variant wasn’t of particular note
  • On Friday, 12-May-2017, a new variant of WannaCry (I / RANSOM_WCRY.A) built on the April variant foundations and added an exploit for CVE-2017-0144, better known was EternalBlue or MS17-10. This exploit allowed the ransomware to spread like a worm throughout unprotected networks. Latest Friday evening, Microsoft released a publicly available patch for unsupported Windows versions (Windows XP, Windows 8, Windows Server 2003) to help address the issue
  • A strong patch management process is key to protecting against vulnerabilities like MS17-010, which is what sets WannaCry apparent from other ransomware variants. This vulnerability was patched in March for support operating systems. Threat actors know it takes time for large enterprises to patch known vulnerabilities, and they took full advantage in this massive attack. This white paper provides guidelines to help businesses implement a patching system to keep their systems safe
  • Trend Micro offers a free assessment tool that can detect the WannaCry ransomware. This tool uses machine learning and other techniques similar to those seen in OfficeScan XG to highlight the protection provided by advanced endpoint security tools. In addition to strong endpoint protection, Trend Micro also recommends strong email security solutions to help prevent the initial infection (79% of ransomware attacks in 2016 started via a phish) and a strong backup strategy to help recover from successful ransomware attacks

FAQ

Q: What do we know about WannaCry/WCry?
A:
An unprecedented spate of ransomware infections is hitting a number of organizations across various industries around the world. The culprit: the WannaCry/WCRY ransomware (detected by Trend Micro as RANSOM_WANA.A and RANSOM_WCRY.I). Trend Micro detected and monitored WannaCry since its emergence in the wild in April, 2017, and has been protecting users and enterprises with the ransomware protection features of machine learning-infused Trend Micro™ XGen™ security.

WannaCry or WCRY appears to be taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “EternalBlue”) associated with the Shadow Brokers tools release. This has affected organizations around the world in all verticals. Our researchers are currently analyzing it in more detail.

Q: What happened?

A: Several firms in Europe were the first to report having their mission-critical Windows systems locked and displaying a ransom note. This quickly developed into one of the most widespread ransomware outbreaks currently affecting a large number of organizations around the world. Some affected organizations had to take their IT infrastructure offline, with victims in the healthcare industry experiencing delayed operations and forced to turn away patients until processes could be re-established.

[Infographic: A multilayered defense against ransomware]

Q: Who’s affected?

A: This variant of the WannaCry ransomware attacks older Windows-based systems, and is leaving a trail of significant damage in its wake. Based on Trend Micro’s initial telemetry, Europe has the highest detections for the WannaCry ransomware. The Middle East, Japan, and several countries in the Asia Pacific (APAC) region showing substantial infection rates as well.

WannaCry’s infections were seen affecting various enterprises, including those in healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.

[READ: A technical overview of the WannaCry/Wcry ransomware]

Q: What does WannaCry ransomware do?

A: WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.

Figure 1: One of WannaCry’s ransom note

WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.

What makes WannaCry’s impact pervasive is its capability to propagate. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.

WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.

What makes WannaCry’s impact pervasive is its capability to propagate. Its worm-like behavior enables WannaCry to spread across networks and infect systems connected to them. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.

[READ: Shadow Brokers Leaks Hacking Tools: What it Means for Enterprises]

Q: What should affected organizations do?
A: Trend Micro recommend that all compromised machines are immediately isolated and relevant backups are protected from further changes. Since this attack appears to exploit a known Microsoft vulnerability – customers should consider disabling SMB in their environments if possible – either via GPO or using instructions provided by Microsoft. In addition, we recommend patching with MS17-010 or using Trend Micro virtual patching as this is what is being used to propagate to other machines.

 Q: How can it be thwarted?

A: WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.

Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:

 Q: How can I find out if my organization is protected?
A:
Trend Micro offers a free tool to help organizations identify the gaps in their existing endpoint protection solution by providing you with the specific advanced endpoint security techniques to stop more threats from getting in your networks and on your endpoints.

Are Trend Micro customers protected?
We have a series of solutions that provide some level of protection against these new threats:

  • Updated Configuration and Next Generation Technology– Trend Micro customers using the latest versions of OfficeScan and Worry-Free Business Security should ensure that they have both Predictive Machine Learning (OfficeScan XG, Worry-Free Services) and all relevant Ransomware protection features enabled in their product.  The following article contains information on optimal configurations to help protect against ransomware:  https://success.trendmicro.com/solution/1112223
  • Smart Scan Agent Pattern and Official Pattern Release: Trend Micro has added known variant and component detections into the following patterns for all products that utilizes these patterns:
    • Smart Scan Agent Pattern – 13.399.00
    • Official Pattern Release (conventional)– 13.401.00
  • Trend Micro Web Reputation Services(WRS) has added coverage for known Command and Control (C&C) servers.
  • Trend Micro Deep Security and Vulnerability Protection(formerly the IDF plug-in for OfficeScan) customers with the latest rules have an updated layer of protection for multiple Windows operating systems, including some that have reached end-of-support (XP, 2000, 2003). Specifically, Trend Micro released the following rule for proactive protection:
    • IPS Rules 1008224, 1008228, 1008225, 1008227 – Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities
  • Trend Micro Deep Discovery Inspectorcustomers with the latest rules also have an additional layer of protection against the vulnerabilities associated with the exploit. Specifically, Trend Micro has released the following official rule for proactive protection:
    • DDI Rule 2383:  CVE-2017-0144 – Remote Code Execution – SMB (Request)
  • Trend Micro TippingPoint customers with the following filters have updated protection:
    • Filters 5614, 27433, 27711, 27935, 27928– Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities and attacks
    • ThreatDV Filter 30623– helps to mitigate outbound C2 communication
    • Policy Filter 11403– provides additional protection against suspicious SMB fragmentation