WanaCry: Frequently Asked Questions

There are many questions surrounding the WanaCry ransomware attack that started on May 11, 2017. In order to provide some quick answers to common questions and dispel some misconceptions, we are providing this list of frequently asked questions. We will keep this updated as new details emerge. For a more in-depth look at WanaCry, refer to our blog – WanaCry Observations: Big Worm = Big Problems.

[Last updated 12:18pm ET, May 16, 2017]

  • Is there a new variant in the wild?
    • Researchers have found many similar malware samples that have surfaced but many of these have turned out to be simply edited versions of the WanaCry malware from the May 11th weekend. So far none of the new samples that have been discovered have been as effective as the version making the news and some don’t even appear to work properly.
  • Did the WanaCry infections start via a phishing campaign?
    • There are theories that WanaCry was originally started through phishing emails but so far there has not been any evidence to support this theory. Currently, it is unknown exactly how the WanaCry infections began.
  • How does WanaCry spread?
    • WanaCry spreads primarily over SMB by taking advantage of a Microsoft vulnerability associated with the ETERNALBLUE NSA exploit released by the Shadow Brokers.  Microsoft released a patch for this vulnerability for supported versions of Windows in March 2017 and even released a patch for Windows XP and Windows 2003 on Friday, May 12, 2017. WanaCry will attempt to spread to spread over the internal network and attempt to connect to random hosts on the Internet via SMB over ports TCP 139 and TCP 445.
  • Is it still active?
  • What is the “killswitch” domain mentioned in conjunction with WanaCry?
    • WanaCry attempts to connect to a specific domain when it starts up and if it can connect to this domain, it terminates. This may be functionality to prevent analysis in sandboxes or other malware research environments which are often configured to return responses for any domain requests. Killswitch domains known to be associated with WanaCry have been registered and are hosted by researchers.
  • Does access to the killswitch domain mean WanaCry won’t work?
    • If the WanaCry malware is able to reach its associated killswitch domain, it will terminate instead of encrypting files.
  • What if access to the killswitch domain is blocked?
    • If access to the WanaCry killswitch domain is blocked by a security tool or due to network configuration, the infections inside the organization will succeed since it receives no reply from the killswitch domain. The fix for this is to whitelist the domain so connections can succeed or setup an internal DNS record for the killswitch domain and point it to an internal host.
  • What if a proxy is required at my organization to get to the Internet?
    • WanaCry does not have proxy support so if a proxy is required to reach the Internet, communication to the killswitch domain (as well as infection attempts to Internet hosts) will fail. In these situations, an administrator can create a DNS record for the killswitch domain and point it to an internal host to facilitate the killswitch functionality in WanaCry.
  • What are all the bitcoin addresses being used for payment?
  • How can attacks like this be prevented?
    • The ability of malware to spread quickly through networks on its own is often facilitated by an unpatched vulnerability. That is the case with WanaCry. Patching critical vulnerabilities that can lead to remote code execution (RCE) in a timely manner will help to avoid exposure to malware that takes advantage of these vulnerabilities to spread. For WanaCry specifically, refer to the Microsoft bulletin, MS17-010 for relevant patch information.
    • Preventing access from the Internet directly to computer systems is another key mitigation that would help mitigate WanaCry infections. Systems exposed directly to the Internet make them candidates for infections like WanaCry. In this case, allowing SMB connections over port TCP 445 from hosts on the Internet helps WanaCry spread.
    • For internal networks, splitting hosts into separate segments such that communications aren’t wide open between the segments can help prevent the rapid spread of malware infections internally. This can be done through Access Control Lists (ACLs) on routers, firewall filtering, or even physical separation between networks. Having an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) between segments of internal hosts can help provide protection and visibility as well.
    • Updated antivirus software on every host can help against these kinds of infections too. While AV may miss initial detections when the malware is new, applying updated signatures as they become available can help protect against the malware as time goes on.
  • Is anything known about who created/deployed WanaCry?
    • Officially there is not a specific actor or group that has been accused of creating or launching the WanaCry malware. There is currently speculation that North Korea may be behind it but the evidence is so far circumstantial.
  • If someone pays, do they actually get access to their files again?
    • There have been reports of people making the requested payment and receiving access to their files. However, just because this may have been the case with others, there are no guarantees that payment will yield access to the files encrypted by WanaCry.
  • My computer got infected, now what?
    • If you’ve been compromised we recommend taking the following steps:
      • 1) take the infected host offline
      • 2) restore to the latest non-infected backup
      • 3) apply the Microsoft patch: MS17-010
      • 4) reconnect the host to the network

Source: Honeypot Tech