[SingCERT] Technical Advisory for System Administrators on "WannaCry Ransomware"

Published on Monday, 15 May 2017 21:56

Background
On 12th May 2017, there was a global wide-spread infection of a ransomware known as "WannaCry", aka. WanaCrypt0r. This ransomware exploits a known critical Microsoft Windows Server Message Block 1.0 (SMB) vulnerability (MS17-010), which allows remote code execution, providing a worm-like capability to propagate through a network by scanning for vulnerable systems and infecting them. It then encrypts files on the system, and extorts a bitcoin ransom in exchange for the decryption of files.

This advisory serves to provide system administrators with technical information to safeguard their networks against this cyber threat.

How to Minimise Risk of Being Infected by WannaCry Ransomware?
In addition to the common best IT security practices such as ensuring latest security patches, updating of AV signatures, non-privilege access to users, and end users’ education, below are additional specific measures to mitigate against the WannaCry Ransomware threat.

Do note that as there are many variants of WannaCry ransomware (and it is still evolving), no one method may be sufficient to ensure that you are fully protected.

Prevention of Spreading From Internal Network

  1. Ensure all Microsoft computers are patched to MS17-010-Critical security patches.

  2. If possible, disable Remote Desktop Protocol (RDP) and Server Message Block (SMB) protocol. Where disabling is not possible, ensure that the RDP access control is secure (i.e. only restrict RDP from specific Out-Of-Band (OOB) network).

  3. There are some variants of WannaCry which have a “kill-switch” feature. Hence it is not recommended to block the network Indicators of Compromise (IOC), because they will spread/infect if the network connection is block.
Prevention of Infection From External Network (i.e. Internet)
  1. Ensure that the perimeter firewalls block unsolicited traffic (including port 445) from the Internet.

  2. The following network IPS (for the respective products) are available for blocking at the perimeter. If you are not using any of the below products, please check with your vendor on the availability of IPS signatures relating to WannaCry.

  3. SourceFire:
    1. SID 42329 - MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response
    2. SID 42330 – MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response
    3. SID 42331 – MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command
    4. SID 42332 – MALWARE-CNC Win.Trojan.Doublepulsar variant ping command
    5. SID 42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt
    6. SID 41978 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt

    McAfee Intrushield:
    1. Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)
    2. Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)
    3. Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
    4. Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)
    5. Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)
    6. NETBIOS-SS: MS17-010 EternalBlue SMB Remote Code Execution
    7. NETBIOS-SS: SMB DoublePulsar Unimplemented Trans2 Session Setup Subcommand Request
Endpoints Protection
  1. Apply application white-listing where available/possible. For example, Microsoft Windows OS (Windows 7 / 2008 and above) has AppLocker which allows application white-listing.
What Should You Do If You Are Hit by WannaCry Ransomware?
If you suspect that your computer is infected with WannaCry, you may want to do the following:
  1. Disconnect the computer from all network, including internet and internal network.

  2. If possible, do not shutdown/reboot the affected computer.

  3. Unplug all USB connected devices from the affected computer.

  4. If your backup devices (i.e. NAS, SAN, portable HDD) are connected to the same “affected network” as the computer, it is strongly advised that you quickly disconnect from the network (where possible).
Shift your attention to the other systems in the same network, which may have also been affected by the ransomware.
  1. If you find more systems affected, similarly perform same steps in steps 1 to 3.

  2. For all Windows Systems, quickly apply the critical security patch (MS17-010-Critical). Disable RDP and SMB services if possible. This will minimise chances of infection from further spreading within your network.
For the infected machines,
  1. Perform memory acquisition of the running computer, which MAY allow forensics analyst to have a chance of recovering the files.

  2. Re-image the machine with a full format and re-installation of the OS.
    1. There are some online “tutorials” on how to manually remove the WannaCry ransomware. For example, by starting the machine in “safe” mode, manually deleting the malware, and restoring the original files from Windows’ “Restore previous versions” feature.

    2. Whether these methods work or not will depend on the variant of the WannaCry, and windows OS version.

  3. Finally restore information from backup.