WannaCry and Other Ransomware – What is it and How to Defend Against It?

WannaCry and Other Ransomware – What is it and How to Defend Against It?

This isn’t the first time we have been here. Remember CryptoLocker in 2013? This all sounds to familiar.

The last few days have seen an unprecedented ransomware attack that has affected organisations in over 150 countries. The software called WanaCrypt0r 2.0 (aka WannaCry or WCry) has been affecting computers across the globe. Initial estimation states it hit 36,000 organizations, among them the UK National Health Service (NHS) and hospitals across the UK and Scotland, organizations in Spain, Russia, the Ukraine and Taiwan.

This brings to attention the exploding threat landscape that we face today and highlights just how prepared we have to be. The WannaCry outbreak demonstrates just how damaging ransomware can be, and how quickly such attacks can disrupt vital services.

Let’s later look at WannaCry as a case study and use it to understand how we might be not prepared for the next variant.

Firstly, the background.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user’s screen. Both types require users to make a payment (the ‘ransom’) to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest, for example WannaCry was asking for around $300. You must never pay it. Even if you are desperate to get your files back. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to ‘unlock’ the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem. Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

You simply can’t rely on one thing to protect you. Anti Virus isn’t even a sticking plaster. Some anti virus vendors took several hours to get updates issued (Symantec), whereas Sophos was quick, around a couple of hours. Carbon Black and Cybereason are new kids in town that are quick to identify newer variants of malware and ransomware. Cybereason even gives away it’s basic product to protect against Ransomware. Ransomware is difficult to stop even on Microsoft Windows computers running. The only truly reliable defence is backup but even that can come under attack from ransomware if it is reachable from the infected PC. Users must not pay the fees.

Let’s look at WannCry specifically now, from the perspective of Talos, a Cisco company. Some of their comments are copied and pasted below and merged with our own comments.


This is the link to the Cisco Talos blog article which from everything we have read in the last few days is the best summary of what has happened and why.

On Friday, May 12, 2017, a global ransomware campaign began targeting computers around the world with a ransomware variant called WannaCrypt malware (alternatively known as WCry, WannaCry or WanaCrypt0r), hitting dozens of organizations across the globe. Among the victims are universities in China, Russia’s Ministry of Internal Affairs, National Health Service in the UK, and enterprises including Federal Express, the Spanish telecommunication company Telefonica, French car manufacturer Renault, and more.

How Does WannaCry Operate?

What Does the Malware Do?

WannaCry features several stages of execution: propagation, encryption and TOR communication. WannaCry is innovative in that it only needs to gain access to a network once and automatically spreads to additional endpoints, versus other ransomware campaigns that target as many machines as possible.


WannaCry scans for computers for port 445 and leverages EternalBlue to gain access and deploy the WannaCrypt malware onto the machine (using a malware loader called DOUBLEPULSAR). From that moment, the worm scans nearby machines it can target in the same way and begins to move laterally within the network, transferring the malicious payload to more and more endpoints.

This attack spread by leveraging recently disclosed vulnerabilities in Microsoft’s network file sharing SMB protocol. CVE-2017-0144 – MS17-010i, a Microsoft security update issued on March 14th 2017, addressed these issues and patched these remote code execution vulnerabilities. The current ransomware campaign targets computers that were not updated.

What are FuzzBunch, DoublePulsar and EternalBlue?

In April of 2017, a group named Shadow Brokersii leaked several exploitation tools, including FuzzBunch. Inside of the FuzzBunch framework there were remote exploits for Windows like EternalBlue and DoublePulsar.

The DoublePulsar SMB plant from the Shadow Brokers dump is a backdoor exploit that can be used to distribute malware, send spam, or launch attacks. EternalBlue is a remote code exploit affecting Microsoft’s Server Message Block (SMB) protocol. Attackers are also using the EternalBlue vulnerability to gain unauthorized access and propagate WannaCrypt to other computers on the network.

It appears the attackers are using Fuzzbunch or Metasploit (similar tool) modulesiii to launch these attacks. The exploits, payloads and scanners needed to launch an attack against computers with exposed SMB services are all available on a Github page.


Like other known ransomwares (Locky, Cryptowall, etc.), the encryption phase is executed at the first stage, before any outbound communication.


The TOR communication is not necessarily done over http and is not preliminary prerequisite stage for any of the other stages. The TOR client is embedded within the ransomware, so no need to execute outbound communication for downloading. It is only used to share the encryption keys with the C2 server.


After dropping the first executable and checking the domain for the kill switch, WannaCrypt will drop another executable to scan the IP addresses and attempt to connect to those devices via the SMB vulnerability on port 445/TCP. If there is another vulnerable device on the network, WannaCrypt will make the connection and transfer the malicious payload to that device as well.

Command and Control Servers

  • cwwnhwhlz52ma.onion
  • gx7ekbenv2riucmf.onion
  • xxlvbrloxvriy2c5.onion
  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion

Bitcoin Addresses

  • https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

The remediation cost (the ransom) was $300 per infected machine to be paid in Bitcoin. Three days after the infection, the ransom increases to $600. When the clock expires after seven days, the victim loses the ability to pay the ransom and decrypt their files. The files on the infected computers are encrypted using a custom AES-128 in CBC mode. At the moment there are no confirmed reports of victims receiving a key for decryption after making a payment. Normally ransomware campaigns have personalized Bitcoin wallets to help identify who has paid the ransom. In the case of WannaCrypt, it is believed the only way to identify the author that you have made a payment is by sending the extortionist your transaction ID through their “Contact Us” section.

Kill Switch

Upon infection, WannaCrypt executes a file that sends an HTTP GET request to a hardcoded domain. This is a killswitch. If the request for the domain is successful, WannaCrypt will exit and not deploy. If the request fails, it continues to infect devices on the network. When the campaign began on Friday, a security researcher, @MalwareTechBlog, noticed the killswitch domain was unregistered. He promptly registered the domain and directed the request to a sinkhole, thereby effectively preventing this variant from spreading further.

Kill switches

  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@msuiche)
  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@MalwareTechBlog)

What’s Expected Next?

Extortion is not new to humanity, and the cyber space is fertile grounds for it to prosper. The frequency of ransom attacks doubled the past year, but 2016 was the year where it became the primary motivation of cyber-attacks, particularly in Europe. In 2016, 49% of organizations reported having suffered either a ransomware infection or a DDoS threat for ransom.

It is very likely that as the malware spreads, hackers will be able to customize it and more permutations will appear, like the case of the Mirai Botnet whose source code went public in the autumn of 2016. WannaCry variations at Virus Total (four until now):


Installing Microsoft MS-17-010 Security Updates

Users should immediately patch their computers with Microsoft’s MS-17-010 security update that includes the patch for this vulnerability. This vulnerability is so severe that Microsoft has even pushed an update for Windows XP for the first time since 2014. Users who cannot make the update should disable SMBv1 from allowing direct connections. Open Windows features and uncheck SMB 1.0/CIFS File Sharing Support

How do you protect yourself from Ransomware?

The list is extensive, most of this is common sense, and some quite advanced and comes with cost.

Patch ALL Windows machines in your environment immediately. The EternalBlue vulnerability was patched by Microsoft back in March as part of MS17-010. Vulnerability management and patching – some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it’s important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.

Maintain up-to-date backups of files and regularly verify that the backups can be restored. Ransomware attacks target shared network drives and cloud backups. This scenario makes it hard to retrieve the information in case of a ransomware attack. Therefore, do not rely on backup only – you must consider a protection mechanism.

Controlling code execution – consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing – unless you have explicitly trusted them. It’s also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can’t see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.

Email. Attachment filtering in your mail system won’t work for a lot of ransom ware, including WannCry. (though investigations are ongoing there is no proof email was used to transmit the ininital attacks). You need a content-inspecting web proxy that deals with both HTTP and HTTPS or you need to be very restrictive about the websites you allow your users to visit.

Educate. Ransomware is often delivered through the exact same channels as other types of malware: spear-phishing and malicious drive-by. Educate users to obtain from clicking on suspicious links, downloading email attachment and downloading software from un-known resources.

Install a ransomware detection and prevention tool. Small businesses and individuals should install Cybereason RansomFree. It is a free ransomware protection tool for PCs running Windows 7, 8, 10 and Windows Servers running 2008 R2 and 2012 R2. Download RansomFree herehttps://ransomfree.cybereason.com It

Filter web browsing traffic – we recommend using a security appliance or service to proxy your outgoing web browsing traffic (Bluecoat for example). Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.

Manage and control removable media access to prevent ransomware from being brought in to an organisation on foot.

Confirming that you do not have any SMB (Server Message Block) ports publicly exposed to the Internet. Outpost24 Outscan, Nessus or Qualys will pick this up.

Confirm traffic to Tor nodes is blocked

Ask 3rd parties who have VPN connections to confirm their posture prior to establishing a connection. SMB should never traverse VPN and MPLS links, for example, unless you absolutely need it.  Endpoints almost never need SMB inbound – Windows firewall block it by default. It isn’t just SMB, however – there’s lots of Windows services which endpoint PCs shouldn’t be listening for.

Apply access protection rules to block creation of wnry files

Enable IPS rule to block traffic exploiting MS17-010

Using a SIEM solution to identify the following: hosts conducting mass SMB scans / mass filerenames on fileshares

Install Sysmon on fileshares to aid in forensic investigation if hit

Confirm Killswitch domains are accessible

Keep the userbase informed that the threat remains so that they remain vigilent

Segment networks / vlans with IPS between them that can generate signatures in real time.

Direct SMB and Terminal Services external communications should be forbidden or securely configured and monitored. Akamai have a product called Enterprise Application Access to get around this.

Disable Tor communications to and from your organization. (IPS)

Consider zero-day protection / sandboxing solutions. The Check Point firewall can do this very well.







This entry was posted in Network Security, News and Updates, Opinion. Bookmark the permalink.

Leave a Reply