Vous êtes sur la page 1sur 19

2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

SoftwareCommunities
Vulnerability
Reputation
Support Center
Information

Software BACK
F R I D AY, M AY 1 2 , 2 0 1 7

Vulnerability Information Vulnerability


Email
Snort Community
& Web Reports
TraŘc Reputation
Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Reputation Center
This post was authored by Martin Lee, Warren Mercer, Paul Rascagneres, and Craig Williams.
Razorback
IP
Project
Blacklist
AspisDownload

Library Daemonlogger
AWBO
SpamCop
Exercises

Mo⸰�ow
Support Communities

PE-Sig
About
Immunet

Careers Teslacrypt Decryption Tool

MBR Filter
Blog
FIRST

LockyDump

E X E C U T I V E S U M M A RY FreeSentry

A major ransomware attack has affected manyTools


Flokibot organizations across the world reportedly
including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The
malware responsible for this attack is aSynful Knock Scanner
ransomware variant known as 'WannaCry'.

Cisco Smart Install Scanner


The malware then has the capability to scan heavily over TCP port 445 (Server Message
Block/SMB), spreading similar to a worm, compromising hosts, encrypting Řles stored on them
ROPMEMU
then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a
threat that simply scans internal ranges to identify where to spread, it is also capable of
spreading based on vulnerabilities it Řnds in other externally facing hosts across the internet.

Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a
persistent backdoor that is generally used to access and execute code on previously
compromised systems. This allows for the installation and activation of additional software,
such as malware. This backdoor is typically installed following successful exploitation of SMB
vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is
associated with an offensive exploitation framework that was released as part of the Shadow
Brokers cache that was recently released to the public. Since its release it has been widely
analyzed and studied by the security industry as well as on various underground hacking forums.

WannaCry does not appear to be only be leveraging the ETERNALBLUE modules associated with
this attack framework, it is simply scanning accessible servers for the presence of the
http://blog.talosintelligence.com/2017/05/wannacry.html 1/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
this attack framework, it is simply scanning accessible servers for the presence of the
DOUBLEPULSAR backdoor. In cases where it identiŘes a host that has been implanted with this
Software
Vulnerability
Reputation
Support
backdoor, it simply leverages the existing backdoorCommunities
Center
Information
functionality available and uses it to infect
the system with WannaCry. In cases where the system has not been previously compromised
and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial
Software BACK
exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been
widely observed across the internet.
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation

Organizations should ensure that devices


AMP running
Microsoft
ClamAVThreat Windows
Community
Advisories are fully patched and deployed in
Naming Conventions
accordance
Reputation with best practices. Additionally, organizations should have SMB ports (139, 445)
Center
blocked from all externally accessible hosts.
Razorback
IP
Project
Blacklist
AspisDownload

Library Daemonlogger
AWBO
SpamCop Exercises the situation may change as we learn
Please note this threat is still under active investigation,
more or as our adversary responds to our actions. Talos will continue to actively monitor and
Mo⸰�ow
Support
analyzeCommunities
this situation for new developments and respond accordingly. As a result, new coverage
may be developed or existing coveragePE-Sig
adapted and/or modiŘed at a later date. For current
information, please refer to your Firepower Management Center or Snort.org.
About
Immunet

Careers Teslacrypt Decryption Tool


C A M PA I G N D E TA I L S
We observed an uptick in scanning of our internet facing honeypots starting shortly before 5am
MBR Filter
EST (9am UTC).
Blog
FIRST

LockyDump

FreeSentry

Flokibot Tools

Synful Knock Scanner

Cisco Smart Install Scanner

ROPMEMU

I N F R A S T R U C T U R E A N A LY S I S
Cisco Umbrella researchers Řrst observed requests for one of WannaCry's killswitch domains
(iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, then rising to a peak
of just over 1,400 nearly 10 hours later.

http://blog.talosintelligence.com/2017/05/wannacry.html 2/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

SoftwareCommunities
Vulnerability
Reputation
Support Center
Information

Software BACK

Vulnerability Information Vulnerability


Email
Snort Community
& Web Reports
TraŘc Reputation

Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Reputation Center
The domain composition looks almostProject
Razorback
IP Blacklist
human AspisDownload
typed, with most characters falling into the top
and home rows of a keyboard.
Library Daemonlogger
AWBO
SpamCop
Exercises

Communication to this domain might be categorized as a kill switch domain due to its role in the
Mo⸰�ow
Support Communities
overall execution of the malware:
PE-Sig
About
Immunet

Careers Teslacrypt Decryption Tool

MBR Filter
Blog
FIRST

LockyDump

FreeSentry
The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out
Flokibot Tools
the infection. However if it succeeds, the subroutine exits. The domain is registered to a well
known sinkhole, effectively causing this sample
Synful to terminate
Knock Scanner its malicious activity.

Cisco Smart Install Scanner

ROPMEMU

The raw registration information re-enforces this as it was registered on 12 May 2017:

http://blog.talosintelligence.com/2017/05/wannacry.html 3/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

SoftwareCommunities
Vulnerability
Reputation
Support Center
Information

Software BACK

M A LWA R E A N A LY S I S
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
An initial Řle mssecsvc.exe drops and executes the Řle tasksche.exe. The kill switch domain is
then checked. Next, the service mssecsvc2.0
AMP
ClamAV isCommunity
Microsoft created.
Threat
Advisories
Naming This service executes the Řle
Conventions
Reputation Center
mssecsvc.exe with a different entry point than the initial execution. This second execution
Razorback
IP
Project
Blacklist
checks the IP address of the infected machine Aspis
andDownload
attempts to connect to port 445 TCP of each
IP address in the same subnet. When the malware successfully connects to a machine, a
Library Daemonlogger
AWBO
SpamCopExercises
connection is initiated and data is transferred. We believe this network traŘc is an exploit
payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed
Mo⸰�ow
Support Communities
by Microsoft in bulletin MS17-010. We currently don't have a complete understanding of the SMB
traŘc, and exactly what conditions need to be present for it to spread using this method.
PE-Sig
About
Immunet
The Řle tasksche.exe checks for disk drives, including network shares and removable storage
devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for Řles with a Řle
Careers Teslacrypt Decryption Tool
extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the
Řles are being encrypted, the malware MBRcreates a new Řle directory 'Tor/' into which it drops
Filter
Blog
tor.exe and nine dll Řles used by tor.exe. Additionally, it drops two further Řles: taskdl.exe &
FIRST
taskse.exe. The former deletes temporary Řles while the latter launches @wanadecryptor@.exe
to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in
LockyDump
and of itself the ransomware, only the ransom note. The encryption is performed in the
background by tasksche.exe.
FreeSentry

The tor.exe Řle is executed by @wanadecryptor@.exe.


Flokibot Tools This newly executed process initiates
network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by
Synful Knock Scanner
proxying their traŘc through the Tor network.

Cisco Smart Install Scanner


Typical of other ransomware variants, the malware also deletes any shadow copies on the
victim's machine in order to make recovery more diŘcult. It achieve this by using WMIC.exe,
ROPMEMU
vssadmin.exe and cmd.exe.

WannaCry uses various methods to attempt to aid its execution by leveraging both attrib.exe to
modify the +h ⸰�ag (hide) and also icacls.exe to allow full access rights for all users, "icacls .
http://blog.talosintelligence.com/2017/05/wannacry.html 4/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
modify the +h ⸰�ag (hide) and also icacls.exe to allow full access rights for all users, "icacls .
/grant Everyone:F /T /C /Q"

SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
The malware has been designed as a modular service. It appears to us that the executable Řles
associated with the ransomware have been written by a different individual than whomever
Software
developed the service module. Potentially, thisBACK
means that the structure of this malware can be
used to deliver and run different malicious payloads.
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
After encryption is complete, the malware displays the following ransomware note. One
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
interesting aspect of this ransomware variant is that the ransom screen is actually an executable
Reputation Center
and not an image, HTA Řle, or text Řle.
Razorback
IP
Project
Blacklist
AspisDownload

Library Daemonlogger
AWBO
SpamCop
Exercises

Mo⸰�ow
Support Communities

PE-Sig
About
Immunet

Careers Teslacrypt Decryption Tool

MBR Filter
Blog
FIRST

LockyDump

FreeSentry

Flokibot Tools

Synful Knock Scanner

Cisco Smart Install Scanner

ROPMEMU
Organisations should be aware that there is no obligation for criminals to supply decryption keys
following the payment of a ransom. Talos strongly urges anyone who has been compromised to
avoid paying the ransom if possible as paying the ransom directly funds development of these
malicious campaigns.

M I T I G AT I O N A N D P R E V E N T I O N
Organizations looking to mitigate the risk of becoming compromised should follow the following
recommendations:

Ensure all Windows-based systems are fully patched. At a very minimum, ensure
Microsoft bulletin MS17-010 has been applied.
In accordance with known best practices, any organization who has SMB publically
accessible via the internet (ports 139, 445) should immediately block inbound traŘc.

http://blog.talosintelligence.com/2017/05/wannacry.html 5/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR
traŘc on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR
networks.
Software BACK

In addition to the mitigations listed above, Talos strongly encourages organizations take the
following industry-standard
Vulnerability Information recommendedVulnerability
Email
Snort Community
& Web
best Reports
TraŘc Reputation
practices to prevent attacks and campaigns like
this and similar ones.
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
Reputation Center
Ensure your organization is running
IP an actively
Razorback
Project
Blacklist
Aspis supported operating system that
Download
receives security updates.
Library Daemonlogger
AWBO
SpamCop
Have effective patch management that Exercises
deploys security updates to endpoints and
other critical parts of your infrastructure in a timely manner.
Mo⸰�ow
Support Communities
Run anti-malware software on your system and ensure you regularly receive malware
signature updates.
PE-Sig
About Implement a disaster recovery plan that includes backing up and restoring data from
devices that are kept o跸�ine. Adversaries
Immunetfrequently target backup mechanisms to
limit the possibilities a user may be able to restore their Řles without paying the
Careersransom. Teslacrypt Decryption Tool

CO V E R A G E MBR Filter
Snort Rule: 42329-42332, 42340, 41978
Blog
FIRST
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest
LockyDump
rule pack available for purchase on Snort.org.

FreeSentry
Additional ways our customers can detect and block this threat are listed below.

Flokibot Tools
Advanced Malware Protection
Synful Knock Scanner (AMP) is ideally suited to prevent
the execution of the malware used
Cisco Smart Install Scanner
by these threat actors.

ROPMEMU
CWS or WSA web scanning
prevents access to malicious
websites and detects malware
used in these attacks.

The Network Security protection


of IPS and NGFW have up-to-date
signatures to detect malicious
network activity by threat actors.

AMP Threat Grid helps identify


malicious binaries and build
protection into all Cisco Security
products.

http://blog.talosintelligence.com/2017/05/wannacry.html 6/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Umbrella prevents DNS resolution of the domains associated with malicious activity.

SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
IoCs
Software BACK
File names
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
b.wnry
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622
Reputation Center
c.wnry
Razorback
IP
Project
Blacklist
Aspis
Download
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry
Library Daemonlogger
AWBO
SpamCop Exercises
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
Mo⸰�ow
taskdl.exe
Support Communities
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
PE-Sig
taskse.exe
About
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
Immunet
t.wnry
Careersb9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
Teslacrypt Decryption Tool
u.wnry
MBR Filter
Blog
CnC IPs FIRST
188[.]166[.]23[.]127:443
LockyDump
193[.]23[.]244[.]244:443
2[.]3[.]69[.]209:9001 FreeSentry
146[.]0[.]32[.]144:9001 
50[.]7[.]161[.]218:9001 Flokibot Tools

217.79.179[.]77
Synful Knock Scanner
128.31.0[.]39
213.61.66[.]116 Cisco Smart Install Scanner
212.47.232[.]237
ROPMEMU
81.30.158[.]223
79.172.193[.]32
89.45.235[.]21
38.229.72[.]16
188.138.33[.]220

Observed hash values


ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
http://blog.talosintelligence.com/2017/05/wannacry.html 7/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
Software
a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
BACK
b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
Vulnerability Information
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
Reputation Center
7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
Razorback
IP
Project
Blacklist
AspisDownload
a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
Library Daemonlogger
AWBO
SpamCopExercises
fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
Mo⸰�ow
Support Communities
b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
PE-Sig
About 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
Immunet

Careers Teslacrypt Decryption Tool

Appendix MBR Filter


Blog
List of Řle names encrypted by the ransomware:
FIRST

LockyDump

.der, .pfx, .key, .crt, .csr, FreeSentry


.p12, .pem, .odt, .sxw, .stw, .3ds, .max,
.3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3,
.sqlitedb, .sql, .accdb, .mdb, .dbf,Tools
Flokibot .odb, .mdf, .ldf, .cpp, .pas, .asm,
.cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav,
.swf, .fla, .wmv, .mpg, .vob, Synful
.mpeg, .asf,
Knock .avi, .mov, .mp4, .mkv, .flv,
Scanner
.wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp,
.jpg, .jpeg, .iso, .backup, .zip,
Cisco .rar, .tgz,Scanner
Smart Install .tar, .bak, .ARC, .vmdk,
.vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt,
.msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx,
ROPMEMU
.xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm,
.docx, .doc,

P O S T E D B Y A L E X A N D E R C H I U AT 6 : 0 9 P M
L A B E L S : C O V E R A G E , M A LWA R E R E S E A R C H , M S 1 7- 0 1 0 , R A N S O M WA R E

SHARE THIS POST

43 COMMENTS:

LESLIE ADAMS MAY 12,


http://blog.talosintelligence.com/2017/05/wannacry.html 2017 AT 6:32 PM 8/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

LESLIE ADAMS MAY 12, 2017 AT 6:32 PM

Cracking bit of work guys :) Support Communities


Software
Vulnerability
Reputation Center
Information
Reply
Software BACK

Vulnerability Information
SIMPLE#CSS Vulnerability
Email
Snort
MAY 12, 2017 AT 6:38 Community
& Web Reports
PM TraŘc Reputation

Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Are you guys aware of Meraki's coverage of this threat?
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload
Reply
Library SpamCop
Daemonlogger
AWBO Exercises
Replies
Mo⸰�ow
Support Communities
CRAIG WILLIAMS MAY 13, 2017 AT 8:48 AM
PE-Sig
About Meraki's security devices run snort, AMP, and Umbrella, the coverage is outlined
above. Immunet

Careers Teslacrypt Decryption Tool


Reply
MBR Filter
Blog
FIRST

LockyDump
MAIQUEL MAY 12, 2017 AT 6:44 PM
FreeSentry
Nice post.
Tks. Flokibot Tools

Reply Synful Knock Scanner

Cisco Smart Install Scanner

UNKNOWN MAY 12, 2017 AT 7:34 PM


ROPMEMU

Wunderbar !

Reply

UNKNOWN MAY 12, 2017 AT 7:34 PM

Wunderbar !

Reply

PABLO SEBASTIÁN VELAZCO MAY 12, 2017 AT 7:50 PM

Excellent post, thank you.


http://blog.talosintelligence.com/2017/05/wannacry.html 9/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Excellent post, thank you.

Reply Support Communities


Software
Vulnerability
Reputation Center
Information

Software BACK
ABOOD NOUR MAY 12, 2017 AT 7:52 PM

BestInformation
Vulnerability analysis so far! Thanks! Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation

Reply ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload

Library CERBDOG MAY 12, 2017 AT 8:35SpamCop


PM
Daemonlogger
AWBO Exercises

That was an interesting read. Thanks


Mo⸰�owfor digging into it and posting for us.
Support Communities
Reply PE-Sig
About
Immunet
K P MAY 12, 2017 AT 9:07 PM
Careers Teslacrypt Decryption Tool
Well done!
MBR Filter
Blog
Reply
FIRST

LockyDump
MARIONFSU MAY 12, 2017 AT 9:32 PM
FreeSentry
Always articulate!
Flokibot Tools
Reply
Synful Knock Scanner

ADAM ZUBER MAY 12, 2017 AT Cisco


10:50 Smart
PM Install Scanner

ROPMEMU
Great work!

Reply

ALEJO MAY 12, 2017 AT 11:18 PM

Excelent reverse engineering work

Reply

AGUNLETI ALIU MAY 13, 2017 AT 12:50 AM

Excellent analysis. Thumbs up guys.

http://blog.talosintelligence.com/2017/05/wannacry.html 10/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Reply

Support Communities
Software
Vulnerability
Reputation Center
Information
TIM WOOLFORD MAY 13, 2017 AT 1:39 AM
Software BACK
Can you elaborate why a CCC ToR authority network address is in the CnC list above?
(second
Vulnerability entry, 193.23.244.244)Snort
Information Vulnerability
Email Community
& Web Reports
TraŘc Reputation

Reply ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Replies Project
Razorback
IP Blacklist
AspisDownload

Library
WARREN MERCER MAYSpamCop
Daemonlogger
AWBO Exercises
13, 2017 AT 2:59 PM

Mo⸰�ow
Support Communities
Hi Tim,

PE-Sig
The CCC Tor authority is indeed a CCC node, however, it is part of the indicators
About
associated with our samples.
ImmunetThe Tor nodes are all Tor nodes used throughout
our analysis. It's also fair to say these could be speciŘc to us as, I am sure you
Careers know, the Tor nodes areTeslacrypt Decryption
not something a userTool
can conŘgure.

MBR Filter
Blog In short - we publish all related IOCs. More information is good information.
FIRST
Reply
LockyDump

FreeSentry

Flokibot Tools
JT TWOTEDS MAY 13, 2017 AT 2:00 AM
Synful Knock Scanner
Thanks for a great article.
Cisco Smart Install Scanner

What are the attack vectors? The guardian said one vector was email. Is ESA providing
ROPMEMU
any protection?

Reply

Replies

CRAIG WILLIAMS MAY 13, 2017 AT 9:55 AM

A likely point of confusion was the Jaff ransomeware, another new type of
ransomware (so 2 new types in 2 days) that did spread via email, used the
same executable name. It’s possible this lead some folks to the wrong
conclusion. Many sites are including pictures of emails that are clearly Jaff. It’s
also possible we’ve not seen everything yet but only time will tell. As we state in
the blog it’s an ongoing investigation.

http://blog.talosintelligence.com/2017/05/wannacry.html 11/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Reply
Support Communities
Software
Vulnerability
Reputation Center
Information

Software BACK

JAMES ARNOLD WAITHE MAY 13, 2017 AT 2:10 AM


Vulnerability Information Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Amazing analysis, Thanks
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Reply
Project
Razorback
IP Blacklist
AspisDownload

Library Daemonlogger
AWBO
SpamCop
Exercises
MOONSPIRIT MAY 13, 2017 AT 2:51 AM
Mo⸰�ow
Support Communities
Would the malware use the proxy server conŘgured on the host to check the "kill switch"
website? or would it need directPE-Sig
access for name resolution + a HTTP GET request?
About
Reply Immunet

Careers Teslacrypt Decryption Tool


Replies
MBR Filter
Blog CRAIG WILLIAMS MAY 13, 2017 AT 10:12 AM

FIRST
No. If a proxy is required this will effectively break the current kill switch.
LockyDump

Reply
FreeSentry

Flokibot Tools

Synful Knock Scanner


BF MAY 13, 2017 AT 3:01 AM
Cisco Smart Install Scanner
Keep posting, good job.
ROPMEMU

Reply

JORIBEIR MAY 13, 2017 AT 3:34 AM

Great post! Kudos to you!

Reply

LUCIANO PATRÃO MAY 13, 2017 AT 4:22 AM

Great post, great work.

Reply
http://blog.talosintelligence.com/2017/05/wannacry.html 12/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Reply

Support Communities
Software
Vulnerability
Reputation Center
Information
BOBW MAY 13, 2017 AT 4:40 AM

SoftwareThe registering of the domain to kill the


BACK
spread of the virus was the work of someone at a
Malware company - see
Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
https://www.theguardian.com/technology/2017/may/13/accidental-hero-Řnds-kill-
Vulnerability Information
switch-to-stop-spread-of-ransomware-cyber-attack
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
Reputation Center
Reply
Razorback
IP
Project
Blacklist
AspisDownload

Library Daemonlogger
AWBO
SpamCop
Exercises
PACKET84 MAY 13, 2017 AT 4:46 AM
Mo⸰�ow
Support Communities
Great effort, good work getting to the weeds of this.
PE-Sig
About Reply
Immunet

Careers
RON SOM MAY 13, 2017 AT 4:56Teslacrypt
AM Decryption Tool

MBR Filter
Blog Great post, excellent work!!

FIRST
Reply
LockyDump

UNKNOWN MAY 13, 2017 AT 6:21 AM


FreeSentry

Flokibot
Great analysis but you may want Tools the kill switch domain name. If not, lots of
to withdraw
people reading your page may be tempted to query it, polluting all the maps that are
keeping track of the infection ...Synful Knock
just my 0.5 Scanner

Cisco Smart Install Scanner


Reply

ROPMEMU
Replies

CRAIG WILLIAMS MAY 13, 2017 AT 11:49 AM

Thanks but we want it in there so people understand what to allow.

Reply

JOSEPH DONOVAN MAY 13, 2017 AT 7:05 AM

Bravo!

http://blog.talosintelligence.com/2017/05/wannacry.html 13/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Reply

Support Communities
Software
Vulnerability
Reputation Center
Information
HERMES ROMERO MAY 13, 2017 AT 7:13 AM
Software BACK
good job guys!
Vulnerability Information Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
DIMITRIOS STERGIOU MAY 13, Project
Razorback
IP Blacklist
2017 ATAspisDownload
8:43 AM
Library Daemonlogger
AWBO
SpamCopExercises
This was extremely informative, thanks for the write-up

Mo⸰�ow
Support Reply
Communities

PE-Sig
About
MUSSIPEDIA MAY 13, 2017 AT 9:15 AM
Immunet

Careers Great Analysis Teslacrypt Decryption Tool

Reply MBR Filter


Blog
FIRST
ING. ORLANDO HERNANDEZ CRUZ MAY 13, 2017 AT 11:41 AM
LockyDump

Good job guys, great post. Congrats.


FreeSentry

Reply Flokibot Tools

Synful Knock Scanner


BTELLEZ MAY 13, 2017 AT 11:47 AM
Cisco Smart Install Scanner
Umbrella is currently blocking the kill switch. Should it be allowed?
ROPMEMU
Reply

Replies

CRAIG WILLIAMS MAY 13, 2017 AT 11:48 AM

No it's designed so the killswitch still functions.

Reply

EDIN SULJEVIC MAY 13, 2017 AT 12:32 PM


http://blog.talosintelligence.com/2017/05/wannacry.html 14/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
EDIN SULJEVIC MAY 13, 2017 AT 12:32 PM

Hi,
Support Communities
Software
Vulnerability
Reputation Center
Information
Any reason why WSA is blocking kill switch domain?
Software BACK
Edin
Vulnerability Information Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Replies
Project
Razorback
IP Blacklist
AspisDownload
CRAIG WILLIAMS MAY 13, 2017 AT 1:50 PM
Library Daemonlogger
AWBO
SpamCopExercises
The WSA operates as a proxy so it isn't going to work anyway, the call out will
not use proxies. Mo⸰�ow
Support Communities

PE-Sig
About Reply
Immunet

Careers Teslacrypt Decryption Tool

MBR Filter
Blog KRYPTON MAY 13, 2017 AT 2:09 PM
FIRST
Workaround for proxy networks (which have cisco routers) - adjust - DHCP scope to point
to GW for DNS: LockyDump

FreeSentry
ip dns server
ip name-server Flokibot Tools
ip dns primary ns.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com soa
admin.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Synful Knock Scanner 21600 900 7776000 86400
86400
Cisco Smart Install Scanner
ip host www.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

ROPMEMU
Reply

0X34H MAY 13, 2017 AT 2:31 PM

Awesome analysis, thank you

Reply

ALICE MAY 13, 2017 AT 2:41 PM

Every single one of the IP addresses listed as cnc servers are actually just tor relays with
the exception of one typo and two IP addresses for torproject.org for downloading tor.

Reply
http://blog.talosintelligence.com/2017/05/wannacry.html 15/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Reply

Replies Support Communities


Software
Vulnerability
Reputation Center
Information
WARREN MERCER MAY 13, 2017 AT 3:10 PM
Software BACK
Hi Alice,
Did you not bring Bob toSnort
Vulnerability Information backCommunity
&up your
Vulnerability
Email Web story?
Reports
TraŘc :)
Reputation
Seriously though - the malware used Tor nodes to proxy their traŘc. It's entirely
Microsoft
AMP
ClamAV
fair to say these may never Threat
beCommunity
Advisories
Naming
used Conventionswith this malware again,
in conjunction
Reputation Center
sure. In light of the network indicators we discover we like to publish everything.
Razorback
IP
Project
Blacklist
Aspis
Download
The sanity of the blog is for us to decide ;)
Library SpamCop
Daemonlogger
AWBO Exercises
Reply
Mo⸰�ow
Support Communities

PE-Sig
About
Immunet
SENSEINYC MAY 13, 2017 AT 4:12 PM
Careers Teslacrypt Decryption Tool
Excellent work. Thank you.
MBR Filter
Blog
Reply
FIRST

LockyDump

Enter your comment... FreeSentry

Flokibot Tools

Comment as:  Synful Knock Scanner


Fabio Alexandre (Google) Sign out

Cisco Smart Install Scanner


 
Publish Preview   Notify me
ROPMEMU

POST A COMMENT

HOME OLDER POST

S U B S C R I B E T O : P O S T C O M M E N T S ( AT O M)
http://blog.talosintelligence.com/2017/05/wannacry.html 16/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

SUBSCRIBE TO OUR FEED


Support Communities
Software
Vulnerability
Reputation Center
Information
Posts

Software BACK
Comments

Vulnerability Information Snort Community


Vulnerability
Email & Web Reports
TraŘc Reputation
Subscribe via Email
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload

BLOG ARCHIVE
Library SpamCop
Daemonlogger
AWBO Exercises
▼  2 0 1 7 (67)
▼  M A Y (10) Mo⸰�ow
Support Communities
Player 3 Has Entered the Game: Say Hello to 'Wanna...
Threat Round-up for May 05 - May 12 PE-Sig
AboutJaff Ransomware: Player 2 Has Entered The Game
Immunet
Vulnerability Spotlight: Hangul Word Processor Rem...
Microsoft Patch Tuesday - May 2017
Careers Teslacrypt Decryption Tool
Vulnerability Spotlight: WolfSSL library X.509 Cer...
Vulnerability Spotlight: Power Software PowerISO I...
MBR Filter
Blog Vulnerability Spotlight: AntennaHouse DMC Library ...
FIRST
Gmail Worm Requiring You To Give It A Push And App...
KONNI: A Malware Under The Radar For Years
LockyDump
►  A P R I L (17)

►  M A R C H (17) FreeSentry


►  F E B R U A R Y (12)
►  J A N U A R Y (11) Flokibot Tools

►  2 0 1 6 (98) Synful Knock Scanner


►  2 0 1 5 (62)
►  2 0 1 4 (67) Cisco Smart Install Scanner
►  2 0 1 3 (30)
ROPMEMU
►  2 0 1 2 (53)

►  2 0 1 1 (23)
►  2 0 1 0 (93)
►  2 0 0 9 (146)
►  2 0 0 8 (37)

RECOMMENDED BLOGS
SNORT BLOG
WannaCry Snort coverage

CISCO BLOG
Player 3 Has Entered the Game: Say Hello to ‘WannaCry’

CLAMAV® BLOG
End-of-life announcement for clamav in stable and oldstable

http://blog.talosintelligence.com/2017/05/wannacry.html 17/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Support Communities
Software
Vulnerability
Reputation Center
Information

Software BACK

Vulnerability Information Snort Community


Vulnerability
Email & Web Reports
TraŘc Reputation

ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
Aspis
Software
Download

Library Reputation Center


Daemonlogger
AWBO
SpamCopExercises
Vulnerability Information
Mo⸰�ow
Library
Support Communities
Support Communities
PE-Sig
Microsoft Advisory Snort Rules
About
ImmunetDownload
IP Blacklist
AWBO Exercises
Careers Teslacrypt Decryption Tool
About Talos

MBRCareers
Filter
Blog
Blog
FIRST

LockyDump
CONNECT WITH US

FreeSentry

Flokibot Tools

Synful Knock Scanner

Cisco Smart Install Scanner


© 2017 Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our Privacy Policy here.
ROPMEMU

http://blog.talosintelligence.com/2017/05/wannacry.html 18/19
2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Support Communities
Software
Vulnerability
Reputation Center
Information

BACK

Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation

ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions

Project
Razorback
IP Blacklist
AspisDownload

SpamCop
Daemonlogger
AWBO Exercises

Mo⸰�ow

PE-Sig

Immunet

Teslacrypt Decryption Tool

MBR Filter

FIRST

LockyDump

FreeSentry

Flokibot Tools

Synful Knock Scanner

Cisco Smart Install Scanner

ROPMEMU

http://blog.talosintelligence.com/2017/05/wannacry.html 19/19