GREYCORTEX has examined the behavior of the WannaCry ransomware in a network using its MENDEL Network Traffic Analysis tool. As Martin Korec, Lead Analyst at GREYCORTEX says, “detection of WannaCry and other similar ransomware is easy and fast through the use of advanced behavioral methods. In the case of WannaCry infection, detailed visibility into network traffic is absolutely crucial. From there, it is possible to quickly analyze the extent of the infection, to isolate infected devices, and to keep critical systems running.”
GREYCORTEX’s analysis shows that if a network traffic analysis tool is deployed, WannaCry ransomware can be quickly detected and stopped before files on the affected systems are encrypted. To do this, it is necessary to be able to quickly and effectively detect the behavioral anomalies exhibited by this ransomware, and others like it.
In order to stop the infection rapidly and effectively, it is also necessary to have detailed visibility into real-time network traffic. Using network traffic visibility, organizations can accurately analyze the extent of infection, isolate infected devices, and protect critical systems that are important to the organization.
“We were surprised that this ransomware behaves in an unusually aggressive way on the network. In addition to easily discoverable methods, like port scanning on port 445, we detected a whole series of anomalies; like attempts to connect to more than 4000 devices in 175 countries, in just five minutes,” adds Michal Šrubař, Malware Lab Manager at GREYCORTEX.
Traditional methods of protection against these types of threats often fails. Korec notes that while “antivirus and firewall vendors managed to create detection rules for WannaCry in a matter of hours, in the future it will be difficult to use antivirus and firewall rules to protect against modified versions of WannaCry or other ransomware which exploit similar vulnerabilities, because detection rules can be developed only after new infections occur.”
Gordon Daniell, +420 511 205 216, [email protected]
Detailed Behavioral Analysis of WannaCry’s Behavior in the Network
Detailed Analysis of WannaCry’s Behavior in the Network
After running the binary .exe file, connection by the malware to the following domain is verified on the TCP port (80): www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If this server responds to a request by an infected device, the malware will remain idle. In order to activate WannaCry, we blocked the domain via a firewall. Because it could not reach the domain, the malware came to life, encrypted a local user disk, and started to communicate over the network. It then verified a connection to the Internet by simply trying to connect to youtube.com.
The infected device then tried to verify available servers on the Internet using the ping tool. Subsequently, it tried to connect to the MS-DS (Microsoft Directory Services) on the local network as well as the Internet, and exploited the MS17-010 vulnerability; which enables remote code execution. Within five minutes, the infected device attempted to exploit this vulnerability on more than 4000 devices across the Internet. According to geolocation, the ransomware spread to 175 countries worldwide.
The infection also attacked the internal network, where the ransomware tried to find an open TCP port (445) on devices. It also managed to connect to shared storage on another computer in the local network; where it encrypted files as well. To access Windows XP, the ransomware exploited the above-mentioned MS17-010 vulnerability. From infected devices, the ransomware attempted to spread the data in the same manner as the originally infected device.
WannaCry also downloaded files from dist.torproject.org necessary to enable it to communicate with the TOR anonymization network. This network is often used by ransomware to exchange keys that are used to encrypt storage.
Figure 1: Examples of Internet devices to which WannaCry tried to spread from the infected device.
Figure 2: Examples of autonomous systems in the Internet to which WannaCry tried to spread from the infected device.
Figure 3: A sample of detected events in network traffic from the infected device.
Figure 4: A screen capture showing the device after user data on the device was encrypted.