The Ransomware strain “Wanna Decryptor 2.0” aka “WannaCry” is currently on a devastating run, reportedly taking offline several NHS hospital networks in the United Kingdom as well as other major organizations in Europe are reporting ransomware infections.
The JASK Labs team’s initial research shows the actors have repurposed the recently (ShadowBrokers) leaked zero-day vulnerability MS17-010 in Microsoft SMB protocol. Remember this vulnerability originated as a purportedly leaked NSA offensive tool “EternalBlue” and has now been completely weaponized by criminal malware gangs for Ransomware campaigns.
Here is a Youtube video displaying the WannaCry ransomware in action:
If you recall from our earlier blog post, we did a fairly extensive run-down on EternalBlue and already offered coverage in our product for MS17-010, back when those details first emerged. Beginning today JASK added coverage for WannaCry in JASK Trident. ***UPDATE WannaCry is also installing DoublePulsar backdoor as it spreads. ***
So if your wondering how WannaCry is getting into your network and how exactly is it using EternalBlue? See the following detailed breakdown:
The good news is that if you use JASK Trident you have TOR detection and Eternal Blue detections as default content. We detect TOR using advanced network analysis using meta-data, which is a huge upgrade from the typical approach of tracking exit-node IP list’s. Our approach is much more accurate and doesn’t require updating… this in itself is a huge benefit that most other security products cannot or do not support when detecting TOR!
If you are not currently a JASK user, we recommend you leverage the following Snort/Suricata rule made by the IBM X-force team and observe the below IOC’s related to WannaCry.
alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
We also recommend tracking TOR exit node IP’s as Threat Intel if thats the only viable way you can track TOR on your network, otherwise reach out to our team to get a JASK sensor setup quickly to ensure coverage here.
The following WannaCry network IOC’s were observed in AlienVault’s OTX community and deployed to all JASK customers running Trident.