blog / May 12, 2017

From NSA Exploit to Widespread Ransomware: WannaCry is on the Loose

by Ray Pompon

This article was revised 5/15/17 at 9:12 a.m. (PDT) with updated recommendations.

Over a dozen years ago, malware pioneer Dr. Peter Tippett coined the expression “virus disaster,” which describes the point at which more than 25 machines are infected on a single network as the “tipping point” for complete shutdown of a network.1 The new ransomware WannaCry,2 which locks down all files on an infected computer until the owner pays a ransom, seems to have plunged whole sections of critical infrastructure into a virus disaster. Hospitals in the UK were the first to feel it's bite, but the damage is spreading far and wide. This is likely to jeopardize patient health as hospitals are being shut down. If someone dies because of this, we’ll be looking at murder by malware.3 That will be a game-changer for security and compliance.

The malware is using MS17-010,4 a.k.a. “EternalBlue” (a Shadow Brokers-released NSA exploit5) to punch through the network of anyone who hadn't patched the week’s old vulnerability. This vulnerability hits Server Message Block (SMB) protocol file sharing, which is often wide open within organizational networks and thereby facilitates fast spreading of this attack.

Just as we saw with the Cerberus ransomware and Apache Struts, cyber-crooks waste no time upgrading the warheads on their malware to the latest exploits. When new holes are released, you should expect the same old evil to come repackaged with a new way to get in.

WannaCry is coming into networks in many different forms. The most dangerous is via Microsoft SMB (Server Message Block)6 which is used for file sharing. Security researchers are reporting that a device listening to SMB placed on the open unfiltered Internet is attacked within three minutes. However, traditional malware propagation methods are also in use, including malicious email attachments and phishing.

The most prevalent form of the WannaCry ransomware comes in as a loader with an AES-encrypted DLL that writes a file called “t.wry”. This file is decrypted by a malware-embedded 128-bit key, which is what encrypts the victim's disk files. By using an encrypted loading method, the malware is never written directly to disk in unencrypted form and remains invisible to traditional antivirus software.

While encrypting the victim's files, it also scans all the visible IPC$ and SMB file shares. It uses the Microsoft MS17-010 SMB vulnerability to gain access to the systems on these shares, and infects those systems, as well. It is this behavior that has enabled WannaCry to quickly infect whole networks in minutes.

The primary variant of WannaCry used an unregistered domain to control distribution, a.k.a. “the kill switch.” A security researcher who goes by the name of MalwareTech, registered and sink-holed that domain7 which has stopped this version of WannaCry. Updated WannaCry ransomware variations have since been released, so the danger is still real.

Defense Advice

  • Block SMB access to the Internet, which runs over TCP ports 137, 139, 445 and UDP ports 137, 138.
  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Filter and monitor email for phishing attacks, watching for inbound executable and macro-enabled attachments.
  • Utilize least privilege by giving users access only to the resources they need to conduct their jobs to contain damage from a compromised user account.
  • Reduce and restrict full administrative privileges. Segregate administrative accounts from system administrators and from the user accounts they use to read email and surf the web. Also, restrict common administrative access to TCP ports such as 22, 23, and 3389.
  • Configure internal access controls to contain infection contagion within the networks. Block or restrict SMB (TCP ports 137, 139, 445 and UDP ports 137, 138).
  • Send internal flash bulletins to users regarding this outbreak, warning them to beware of attachments as well as cautioning them not to bring in possible infected outside devices (teleworkers, vendors, home computers) to the office network.
  • Perform and test backups regularly.

More Information


MODIFIED: May 26, 2017

Tags: , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.