Information regarding the WannaCry ransomware is spreading as quickly as the malware itself and is expected to do so throughout the weekend. This blog provides some information from our malware processing system that may, or may not be, available elsewhere.
The WannaCry ransomware propagates by exploiting a remote code execution vulnerability in Microsoft Windows that surfaced via the Shadowbrokers dump on April 14th. Microsoft released a patch on March 14th. Systems should be patched or SMBv1/CIFS disabled immediately to reduce the likelihood of infection:
Microsoft Security Bulletin MS17-010 – Critical
Additionally, appropriate network segmentation is always a best practice and should also be used to limit the exposure of Microsoft SMB not only externally, but on internal networks as well.
The following information is derived from dynamic analysis of 14 WannaCry samples and is provided as additional context for incident responders:
Behavioral Signatures from Malware Sandbox:
- Adds autostart object
- Dumps and runs batch script
- Modifies registry autorun entries
- Creates executable in application data folder
- Modifies file attributes via attrib.exe
- Modifies Windows Registry from the command line
- Renames file on boot
Created Files of Interest:
- !Please Read Me!.txt
ASERT has compiled a more comprehensive Situational Threat Brief that includes additional indicators, insights, and information on how Arbor products may be leveraged to detect and/or block incidents of WannaCry. Arbor customers and partners can register to receive this and other ASERT Briefs on the registration page.