Posted: 8 Min ReadThreat Intelligence

What you need to know about the WannaCry Ransomware

The WannaCry ransomware struck across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks.

UPDATE: May 23, 2017 00:30 GMT:

Symantec has uncovered further links to more closely tie the WannaCry attacks with the Lazarus group. For further details, see: WannaCry: Ransomware attacks show strong links to Lazarus group

UPDATE: May 15, 2017 23:24:21 GMT:

Symantec has uncovered two possible links that loosely tie the WannaCry ransomware attack and the Lazarus group:

  • Co-occurrence of known Lazarus tools and WannaCry ransomware: Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed.
  • Shared code: As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants.

While these findings do not indicate a definitive link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds.

A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network by exploiting critical vulnerabilities in Windows computers, which were patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue,” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

Am I protected from the WannaCry ransomware?

Symantec Endpoint Protection (SEP) and Norton have proactively blocked any attempt to exploit the vulnerabilities used by WannaCry, meaning customers were fully protected before WannaCry first appeared. SEP14 Advanced Machine Learning proactively blocked all WannaCry infections on day zero, without any updates.

The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.

Symantec and Norton customers are automatically protected against WannaCry using a combination of technologies. Proactive protection was provided by:

  • IPS network-based protection
  • SONAR behavior detection technology
  • Advanced Machine Learning
  • Intelligent Threat Cloud

Customers should have these technologies enabled for full proactive protection. SEP customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by Advanced Machine Learning signatures.

What is the WannaCry ransomware?

WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days it claims the encrypted files will be deleted. However Symantec has not found any code within the ransomware which would cause files to be deleted.

Can I recover the encrypted files or should I pay the ransom?

Decryption of encrypted files is not possible at present but Symantec researchers continue to investigate the possibility. See this article for further details. If you have backup copies of affected files, you may be able to restore them. Symantec does not recommend paying the ransom.

In some cases, files may be recovered without backups. Files saved on the Desktop, My Documents, or on a removable drive are encrypted and their original copies are wiped. These are not recoverable. Files stored elsewhere on a computer are encrypted and their original copies are simply deleted. This means they could be recovered using an undelete tool.

When did WannaCry appear and how quickly did it spread?

WannaCry first appeared on Friday, May 12. Symantec saw a dramatic upsurge in the number of attempts to exploit the Windows vulnerabilities used by WannaCry from approximately 8:00 GMT onwards. The number of exploit attempts blocked by Symantec dropped slightly on Saturday and Sunday but remained quite high. Exploit numbers increased on Monday, presumably as people returned to work after the weekend.

Figure 1. Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per hour
Figure 1. Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per hour
Figure 2. Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per day
Figure 2. Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per day
Animated gif
Figure 3. Heatmap showing Symantec detections for WannaCry, May 11 to May 15

Who is impacted?

Any unpatched Windows computer is potentially susceptible to WannaCry. Organizations are particularly at risk because of its ability to spread across networks and a number of organizations globally have been affected, the majority of which are in Europe. However individuals can also be affected.

Is this a targeted attack?

Current WannaCry activity is not believed to be part of a targeted attack.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks without user interaction, by exploiting known vulnerabilities in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.

How is WannaCry spread?

While WannaCry can spread itself across an organization’s networks by exploiting a vulnerability, the initial means of infection—how the first computer in an organization is infected—remains unconfirmed. Symantec has seen some cases of WannaCry being hosted on malicious websites, but these appear to be copycat attacks, unrelated to the original attacks.

How does the ransom payment work?

The WannaCry attackers request that the ransom be paid using Bitcoins. WannacCy generates a unique Bitcoin wallet address for each infected computer, however due to a race condition bug this code does not execute correctly. WannaCry then defaults to three hardcoded Bitcoin addresses for payment. The attackers are unable to identify which victims have paid using the hardcoded addresses, meaning that victims are unlikely to get their files decrypted.

The WannaCry attackers subsequently released a new version of the malware that corrected this flaw, however this version was not as successful as the original.

On May 18, a new notice was displayed on infected computers informing victims that files will be decrypted if the ransom is paid.

What are the details on Symantec's protection?

Network-based protection
Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:

SONAR behavior detection technology

Advanced Machine Learning

Antivirus

For expanded protection and identification purposes, the following Antivirus signatures have been updated:

Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:

  • 20170512.009

The following IPS signature also blocks activity related to Ransom.Wannacry:

Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.

What are best practices for protecting against ransomware?

  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
  • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t delete them.
  • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.

About the Author

Symantec Security Response

Security Response Team

Symantec's Security Response organization develops and deploys new security content to Symantec customers. Our team of global threat analysts operate 24x7 to track developments on the threat landscape and protect Symantec customers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.