Player 3 Has Entered the Game: Say Hello to 'WannaCry'
By Talos' Martin Lee, Warren Mercer,
Paul Rascagneres, and Craig Williams
May 15, 2017
A major ransomware attack has
affected many organizations across the world reportedly
in Spain, the
National Health Service
in the UK, and
in the US. The malware responsible for this attack is a
ransomware variant known as 'WannaCry'.
The malware then has the capability to scan heavily over TCP
port 445 (Server Message Block/SMB), spreading similar to a
worm, compromising hosts, encrypting files stored on them then
demanding a ransom payment in the form of Bitcoin.
Additionally, Talos has observed WannaCry samples making use of
DOUBLEPULSAR which is a persistent backdoor that is generally
used to access and execute code on previously compromised
systems. This allows for the installation and activation of
additional software, such as malware. This backdoor is typically
installed following successful exploitation of SMB
vulnerabilities addressed as part of Microsoft Security Bulletin
MS17-010. This backdoor is associated with an offensive
exploitation framework that was released as part of the Shadow
Brokers cache that was recently released to the public. Since
its release it has been widely analyzed and studied by the
security industry as well as on various underground hacking
WannaCry does not appear to be only be leveraging the
ETERNALBLUE modules associated with this attack framework, it is
simply scanning accessible servers for the presence of the
DOUBLEPULSAR backdoor. In cases where it identifies a host that
has been implanted with this backdoor, it simply leverages the
existing backdoor functionality available and uses it to infect
the system with WannaCry. In cases where the system has not been
previously compromised and implanted with DOUBLEPULSAR, the
malware will use ETERNALBLUE for the initial exploitation of the
SMB vulnerability. This is the cause of the worm-like activity
that has been widely observed across the internet.
Organizations should ensure that devices running Windows are
fully patched and deployed in accordance with best practices.
Additionally, organizations should have SMB ports (139, 445)
blocked from all externally accessible hosts.
Please note this threat is still under active investigation, the
situation may change as we learn more or as our adversary
responds to our actions. Talos will continue to actively monitor
and analyze this situation for new developments and respond
accordingly. As a result, new coverage may be developed or
existing coverage adapted and/or modified at a later date. For
current information, please refer to your Firepower Management
Center or Snort.org.
We observed an uptick in scanning
of our internet facing honeypots starting shortly before 5am EST
Cisco Umbrella researchers first
observed requests for one of WannaCry's killswitch domains
(iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at
07:24 UTC, then rising to a peak of just over 1,400 nearly 10
The domain composition looks almost human typed,
with most characters falling into the top and home rows of a
Communication to this domain might be categorized as a kill
switch domain due to its role in the overall execution of the
The above subroutine attempts an HTTP GET to this
domain, and if it fails, continues to carry out the infection.
However if it succeeds, the subroutine exits. The domain is
registered to a well known sinkhole, effectively causing this
sample to terminate its malicious activity.
The raw registration information re-enforces this
as it was registered on 12 May 2017:
An initial file mssecsvc.exe
drops and executes the file tasksche.exe. The kill switch domain
is then checked. Next, the service mssecsvc2.0 is created. This
service executes the file mssecsvc.exe with a different entry
point than the initial execution. This second execution checks
the IP address of the infected machine and attempts to connect
to port 445 TCP of each IP address in the same subnet. When the
malware successfully connects to a machine, a connection is
initiated and data is transferred. We believe this network
traffic is an exploit payload. It has been widely
this is exploiting recently disclosed vulnerabilities addressed
by Microsoft in bulletin
We currently don't have a complete understanding of the SMB
traffic, and exactly what conditions need to be present for it
to spread using this method.
The file tasksche.exe checks for disk drives, including network
shares and removable storage devices mapped to a letter, such as
'C:/', 'D:/' etc. The malware then checks for files with a file
extension as listed in the appendix and encrypts these using
2048-bit RSA encryption. While the files are being encrypted,
the malware creates a new file directory 'Tor/' into which it
drops tor.exe and nine dll files used by tor.exe. Additionally,
it drops two further files: taskdl.exe & taskse.exe. The former
deletes temporary files while the latter launches
@wanadecryptor@.exe to display the ransom note on the desktop to
the end user. The @wanadecryptor@.exe is not in and of itself
the ransomware, only the ransom note. The encryption is
performed in the background by tasksche.exe.
The tor.exe file is executed by @wanadecryptor@.exe. This newly
executed process initiates network connections to Tor nodes.
This allows WannaCry to attempt to preserve anonymity by
proxying their traffic through the Tor network.
Typical of other ransomware variants, the malware also deletes
any shadow copies on the victim's machine in order to make
recovery more difficult. It achieve this by using WMIC.exe,
vssadmin.exe and cmd.exe.
WannaCry uses various methods to attempt to aid
its execution by leveraging both attrib.exe to modify the +h
flag (hide) and also icacls.exe to allow full access rights for
all users, "icacls . /grant Everyone:F /T /C /Q"
The malware has been designed as a modular service. It appears
to us that the executable files associated with the ransomware
have been written by a different individual than whomever
developed the service module. Potentially, this means that the
structure of this malware can be used to deliver and run
different malicious payloads.
After encryption is complete, the malware displays the following
ransomware note. One interesting aspect of this ransomware
variant is that the ransom screen is actually an executable and
not an image, HTA file, or text file.
Organisations should be aware
that there is no obligation for criminals to supply decryption
keys following the payment of a ransom. Talos strongly urges
anyone who has been compromised to avoid paying the ransom if
possible as paying the ransom directly funds development of
these malicious campaigns.
Organizations looking to mitigate
the risk of becoming compromised should follow the following
Additionally, organizations should strongly
consider blocking connections to TOR nodes and TOR traffic on
network. Known TOR exit nodes are listed within the Security
Intelligence feed of ASA Firepower devices. Enabling this to be
blacklisted will prevent outbound communications to TOR
- Ensure all Windows-based
systems are fully patched. At a very minimum, ensure
has been applied.
- In accordance with known
best practices, any organization who has SMB publically
accessible via the internet (ports 139, 445) should
immediately block inbound traffic.
In addition to the mitigations listed above, Talos strongly
encourages organizations take the following industry-standard
recommended best practices to prevent attacks and campaigns like
this and similar ones.
- Ensure your organization
is running an actively supported operating system that
receives security updates.
- Have effective patch
management that deploys security updates to endpoints and
other critical parts of your infrastructure in a timely
- Run anti-malware software
on your system and ensure you regularly receive malware
- Implement a disaster
recovery plan that includes backing up and restoring data
from devices that are kept offline. Adversaries frequently
target backup mechanisms to limit the possibilities a user
may be able to restore their files without paying the
Snort Rule: 42329-42332, 42340,
Open Source Snort Subscriber Rule Set customers can stay up to
date by downloading the latest rule pack available for purchase
Additional ways our customers can
detect and block this threat are listed below.
Advanced Malware Protection (AMP)
is ideally suited to prevent the execution of the malware used
by these threat actors.
WSA web scanning
prevents access to malicious websites and detects malware used
in these attacks.
The Network Security protection of
NGFW have up-to-date
signatures to detect malicious network activity by threat
AMP Threat Grid
helps identify malicious binaries and build protection into all
Cisco Security products.
prevents DNS resolution of the domains associated with malicious
Observed hash values