Fortinet – Critical Update: WannaCry Ransomware

re-post from Fortinet Blog 2017

Critical Update: WannaCry Ransomware

by RSS Aamir Lakhani  |  May 15, 2017  |  Filed in: Security Research

On May 12th, 2017 the ransomware WannaCry disrupted hundreds of organizations in dozens of countries. The ransomware encrypts personal and critical documents and files and demands approximately $300 USD in BitCoin currency for the victim to unlock their files.

It is important to note that Fortinet solutions successfully block this attack.

1. FortiGate IPS plugs the exploit

2. FortiSandbox detects the malicious behavior

3. Our AV engine detects the malware along with variants

4. Our Web filter identifies targeted sites and appropriately blocks or allows them

5. The FortiGate ISFW stops the spread of the malware

The worm-like behavior exhibited by this malware is due to an active probe for SMBv1 server port 445 on the local LAN searching for the presence of the Backdoor.Double.Pulsar. If the backdoor is present, the payload is delivered and executed through this channel. If not, a slightly less reliable exploitation route is taken.

For this reason, we are recommending that organizations (for now) block port 445 from the internet, or further, use NGFW capabilities to block the SMB protocol itself from the internet.

The malware is modular. This means that because it could grant the malicious actor super-user privileges on the infected device it would allow them to download additional malware and spoof URLs. In one case Fortinet observed, the malware first took advantage of vulnerability CVE-2017-0144 to gain access to the system. After that, a dropper was used to download ransomware that encrypts the files.

This vulnerability occurs because of an integer overflow when parsing a malformed Trans2 Request in the SMBv1 Server. Successful exploitation leads to code being executed in the context of the application. There is no need for authentication for this to be exploited, which has been key to the rapid onset of the outbreak in local area networks.

Backdoor.Double.Pulsar

If the malware senses that a system has the Backdoor.Double.Pulsar installed, it will try to download and execute the payload using this method. Interestingly, in some samples we analyzed we discovered an unused flag to disable the DoublePulsar.

The malware is encrypted inside a dropper for a DLL encrypted with an AES key. Once executed, the malware drops a file named “t.wry.” The malware then uses the embedded AES key to decrypt the DLL that, once in memory, is loaded into the parent process, thereby never exposing the malware to disk. This is a feature that evades some AV engines.

There is support for 179 filetypes, and a key is generated for each file.

On Saturday, May 13th, a security researcher discovered the kill-switch for this malware. It was a DNS check on a domain name that at the time was unregistered. Once registered, the malware perceived that the domain was alive and the infection was halted.

Outbound TOR

The malware downloads a TOR client and starts to communicate to C&C servers via TOR protocol. We recommended that you block outbound TOR traffic. You can accomplish this on FortiGate devices by using the AppControl signatures.

You do this by going to security profiles, application control, and selecting add signature under “Application Overrides.”

 

Then add the Tor protocol:

You can now see it is being blocked

Make sure you use your application policy in a firewall policy to ensure it is activated.

Inbound TOR

Although, not necessarily needed, you might want to also consider blocking incoming traffic originating from the TOR network. Incoming traffic originating from the TOR network looks like any other Internet traffic. However, the origination point occurs on TOR exit nodes. A list of well-known exit nodes is listed and updated in the Fortinet Internet Service Database. You can use this pre-built list in a firewall policy.

 

If the malware is allowed to communicate, it will try to connect to several malicious domains. The Fortinet web filtering engine categorizes these known domains as malicious, and if configured correctly should block these domains as part of your firewall policies.

Kill Switch

The malware stops if it finds that the domain “www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” exists. While this domain originally did not exist, it does now as a malware researcher in the UK has registered it.

Note: Organizations that use proxies will not benefit from the kill switch. The malware is not proxy-aware, so it will not be able to connect to the kill-switch domain, and thus the malware will not be stopped.

For the kill switch to work the malware must be able to communicate with the kill switch domain. As it is in the best interest of having every opportunity to stop the malware, Fortinet has decided to not categorize the kill switch domain as malicious. However, reports as of May 14th, 2017 identified a version of the malware that bypasses the kill switch, making this an ineffective means of mitigation.

In fact, the kill switch now appears to be obsolete, as the attack is still ongoing and samples from these new waves include different domain names, or some don’t include a domain name kill switch at all.

Fortinet Protections to date

FortiGuard Labs is actively working with our CTA partners to share threat intelligence and ensure that all organizations have accurate information in order to ensure they are protected from this active threat.

Fortinet provides two primary IPS signatures to detect against the attack. They are:

MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution

(released March 14th, 2017, updated May 10th, 2017)

Backdoor.Double.Pulsar

(released February 27th, 2017, updated May 1st, 2017)

Anti-Malware

Fortinet Anti-Malware/Anti-Virus engines have smart signatures enabled to detect the malware, along with behavior-based models to detect possible new variants.

The AV signatures are:

W32/Agent.AAPW!tr

W32/CVE_2017_0147.A!tr

W32/Farfli.ATVE!tr.bdr

W32/Filecoder_WannaCryptor.B!tr

W32/Filecoder_WannaCryptor.D!tr

W32/Gen.DKT!tr

W32/Gen.DLG!tr

W32/GenKryptik.1C25!tr

W32/Generic.AC.3EF991!tr

W32/Scatter.B!tr

W32/Wanna.A!tr

W32/Wanna.D!tr

W32/WannaCryptor.B!tr

W32/WannaCryptor.D!tr

W32/Zapchast.D!tr

Please note, some AV signatures require FortiGate devices to be configured using the extended antivirus definitions. In your FortiGate device you will want to select system, FortiGuard, and then enable extended AV and Extended IPS if available. Don’t worry if it is not. Many of our devices use this as the default option.

If the malware is allowed to execute, the malware will run the command icacls . /grant Everyone:F /T /C /Q  ,which gives full permissions to all files and folders where the malware is stored. Additionally, the malware clears windows shadow copies, disables Windows startup recovery, and clears the Windows Server Backup history.

After that, the encryptor will execute and make the files inaccessible. Once the ransomware executes, users get a similar warning message to the one shown below.

The ransomware will also drop a file named !Please Read Me!.txt with further instructions. The name of the file may change slightly with each infection.

The quick and easy money opportunity provided by ransomware makes it easy to see why it remains extremely profitable for attackers. How many users are paying the ransom? It is difficult to tell, because malware authors use multiple Bitcoin wallets to hide their tracks and are continuously transferring Bitcoins to and from these wallets.

Once infected, victims can try and recover their files through backups or other methods or pay the ransom. Below are links to three blockchain sites that gives some indication of the ransoms that have been collected. At the time of writing, the value of 1 Bitcoin equivalent to $1,784.90.

 

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Total Received: 9.41458497 BTC

 

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Total Received: 5.17934856 BTC

 

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Total Received: 7.1629281 BTC

 

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Total Received: 1.09469717 BTC

 

With just these three wallets linked to Wannacry, the ransomware has collected over $38, 833.82 USD from victims.

 

Finding the Malware

The Fortinet security fabric can greatly assist organizations in tracking down this malware and understanding where it may have infected the organization.

 

IOCs:

 

Observed C&C IPs

188[.]166[.]23[.]127:443

193[.]23[.]244[.]244:443

2[.]3[.]69[.]209:9001

146[.]0[.]32[.]144:9001

50[.]7[.]161[.]218:9001

217.79.179[.]77

128.31.0[.]39

213.61.66[.]116

212.47.232[.]237

81.30.158[.]223

79.172.193[.]32

89.45.235[.]21

38.229.72[.]16

188.138.33[.]220

 

Observed hash values SHA-256

0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7
7108d6793a003695ee8107401cfb17af305fa82ff6c16b7a5db45f15e5c9e12d
76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
7e369022da51937781b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13
9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740
aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c
b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7
b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb
f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494