July 14, 2020

Blue Team Reactions to WannaCry

<<< I am making frequent updates to this post an information flows in. >>>


There is an exploit called ETERNALBLUE (CVE-2017-0145), which is believed to have been developed by the NSA (U.S. National Security Agency). ETERNALBLUE was leaked by the Shadow Brokers hacker group on 14 April 2017. Is used as part of the WannaCry ransomware attack that started on Friday 12 May 2017.  The exploit utilizes SMB version 1 (SMB v1)

Check out this outbreak map over at malwaretech.com: https://intel.malwaretech.com/botnet/wcrypt/?t=1m&bid=all

Indicators of Compromise (IOCs)

  • Are there any calls to the Kill Switch domains for the earlier variants?
    • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com @ Fri12May2017
    • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com @ Mon15May2017
  • New variants have no Kill Switch now as seen in the OllyDbg screenshot below.

Network Team

  • Block TCP 445 from being exposed to the Internet.  You should never allow it anyway.
  • The malware will first check if it can reach a specific websites.  This is the KILL SWITCH and is needed to STOP the ransomware from running. If you have machine that are infected they will check for these websites. LET THEM GO THERE !!!  Do not block these kill switch domains.
    • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com @ Fri12May2017
    • http://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com @ Mon15May2017
  • Make sure the “kill switch” domain and website is reachable from your network without proxy. If not, setup an internal DNS sinkhole and redirect to an internal website. Do not block access to the website.

Server Team

  • Rapidly and aggressively apply the Microsoft patch for the MS17-010 SMB vulnerability @ 14Mar2017
  • Disable SMBv1
  • Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the update.
  • Email Gateways
    • Modify your spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
    • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Verify anti-malware is running the latest update.