Kill Switch Domains Target

WannaCry Overview

On May 12th, hackers released the WannaCry (also called, WannaCrypt0r, WannaCrypt, and WCry) ransomware. The worm takes advantage of a Windows vulnerability disclosed by The Shadowbrokers. Although Microsoft released patches for the vulnerability a month in advance, many servers and endpoint devices had not been patched before the attack was launched. This allowed the worm to spread like wildfire, infecting over 100k victims across 99 countries in less than 24 hours.

ThreatSTOP’s lead security researcher, published a blog entry covering the spread and severity of the damage. The entry also noted multiple methods to patch against the worm, and prevent infection. However, for many the damage was already done.

Researchers have released some recovery tools for recently infected Windows 7 and XP machines; and Microsoft went above and beyond and patched out of bandwidth XP machines. In addition to this, a UK security researcher discovered a kill switch for the worm. Most variants of WannaCry attempt to dial home to a series of hard coded domains. This allows WannaCry to determine if it’s sandboxed for debugging, if the call home succeeds, it prevents the worm from encrypting data on the drive. When the researcher registered the domain names it sinkholed most variants of WannaCry.

However, the owners of the Mirai botnet have begun DDoSing the sinkholed domains, in order to keep WannaCry working. ThreatSTOP users have the ability to protect their networks from the WannaCry ransomware by creating a local sinkhole they can control in the event the DDoS attack against the current kill switch sinkhole is successful in taking down the sinkhole connectivity.

Remediation

Infected Windows machines from XP to 7 and Windows Server up to 2008r, can try recovering the encryption key used to capture the files. To do this you will need to download WanaKiwi from Matt Suiche based on work by Benjamin Delpy and Adrien Guinet at Quarkslab. At no time before running WanaKiwi should you reboot! This will remove the variables used to generate the encryption key from memory! It’s also possible that the variables have been removed by Windows garbage collection routines. This is not a guaranteed fix.

All other windows systems need to apply the patches for MS17-010 (the Windows vulnerability WannaCry exploits). Windows has already pushed the patches to affected machines and a simple reboot will close the hole.

Alternatively, you can install Minerva Labs’s Vaccinator which will cause WannaCry to bypass the machine. However, sensitive machines should receive patches as soon as possible.

Consider disabling legacy network protocols (specifically SMBv1 in this case) if you don’t need them.

ThreatSTOP users should enable the Anonymous Networks target on your IP and DNS firewall devices. This will prevent average users from bypassing your network security using these methods.

ThreatSTOP DNS Firewall customers are currently protected by a global PASSTHRU entry for the known WannaCry kill switch domains. Or you can more explicitly define this target using the instructions in To Add the WannaCry Kill Switch Domains Target to Your Policy Whitelist. Alternatlively and for greater security, setup a local DNS sinkhole for WannaCry as explained in Advanced Method for Wanna Cry Kill Switch Domains Target Whitelist Entry

Adding the WannaCry Kill Switch Domains Target to Your Policy Whitelist

  • Login to the ThreatSTOP Portal as usual
  • Click on the Policies menu entry
  • Select the DNS Defense Policy to edit
  • Select the Individual Targets tab
  • Search for WannaCry in the text search
  • Select the WannaCry Kill Switch target
  • Keep the action as the ThreatSTOP Default and click Add Target
  • Save your edit

This will automatically update your policy and whitelist the WannaCry Kill Switch domains from being blocked. This will prevent most WannaCry variants from activating and encrypting your data.

Advanced Method for WannaCry Kill Switch Domains Target Whitelist Entry

Since the Internet connected servers for the kill switch domains are being DDoS’ed, it’s also possible, and will be more reliable to stand up your own locally managed, highly available sinkholed instance of the web server. You will need to perform the following steps to do this.

  • Stand up a web server on a known safe portion of the network
  • Go to the RPZ Behaviors page on the Portal
  • Click Add RPZ Behavior and set the action to a CNAME command pointed to your new webserver for example (CNAME your.server.name.).
  • Add the target to your DNS Defense policies and set the action to the newly created RPZ Behavior

Both of these techniques will also work with ThreatSTOP Roaming policies. If you have further questions or need more assistance please feel free to reach out to support@threatstop.com or call +1-855-958-7867.

Resources

Downloads

References

  1. Damsky, Irena. “This Past Weekend Made All of Us WannaCry.” ThreatSTOP Blog. May 14, 2017. https://blog.threatstop.com/this-past-weekend-made-all-of-us-wannacry.
  2. Suiche, Matt. “WannaCry - The largest ransom-ware infection in History.” Comae Technologies. May 12, 2017. https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58. Moyal, Omri. “Immunize Yourself from WannaCry Ransomware with Minerva’s FREE Vaccinator.” Minerva Labs. May 14, 2017. http://www.minerva-labs.com/post/immune-yourself-from-wannacry-ransomware-with-minervas-free-vaccinator.
  3. Breiman, Erez. “Using Vaccination to Stop Malware in Real-Life Scenarios.” Minerva Labs. May 15, 2017. https://minerva-labs.com/post/using-vaccination-to-stop-malware-in-real-life-scenarios.
  4. “Microsoft Security Bulletin MS17-010 - Critical.” Security TechCenter. March 14, 2017. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010