Automate Your Response to WannaCry Ransomware

We’ve highlighted the Phantom Community Ransomware Playbook before on the Phantom Blog. It is a general purpose ransomware playbook that is adaptable to many different types of ransomware. Given the widespread impact of the WannaCry threat, however, we wanted to dedicate a blog entry to this particular threat and provide you with customized playbooks and other resources that will help you address the threat using automation and avoid consuming more of your analyst’s resources than necessary.

WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, WCry, WCrypt, and Wanna Decryptor) is a ransomware type of malware that targets Microsoft Windows systems. The ransomware is part of a large-scale and ongoing attack currently spreading worldwide. It propagates using methods like phishing emails and exploits against unpatched systems. While significant progress has been made to curtail propagation of the attack using a DNS sinkholing technique, it will likely continue to present itself for an extended period of time due to its worm-like characteristics.

WannaCrypt-ransom-executable
Screenshot taken from a system infected with WannaCry Ransomware

We strongly recommend taking steps as outlined by Microsoft for preventing WannaCry infections. We are also offering Phantom Community members an extensible model for automating and orchestrating the prevention, hunting, investigation, and remediation workflows for WannaCry and other Ransomware threats like it using the Phantom Platform.

NOTE: Details that enhance an organization’s ability to detect, hunt, investigate, and remediate WannaCry ransomware may evolve, so be sure to maintain up-to-date intelligence for the threat using one or more of our threat intelligence partners.

Phantom Community Resources

Phantom has created four community playbooks that will immediately help in the management of the WannaCry outbreak.  These playbooks are generally applicable to any malware scenario, however the Custom Lists that are used in the playbooks allow them to be tuned specifically to WannaCry.

Phantom Community Playbooks

  1. WannaCry Hunting (wannacry_hunting)
  2. WannaCry Investigate (wannacry_investigate)
  3. WannaCry Remediate (wannacry_remediate)
  4. WannaCry Prevent (wannacry_prevent)

Phantom Custom Lists

  1. WannaCry IOCs – File Names (wannacry_file_names)
  2. WannaCry IOCs – File Hashes (wannacry_hashes)
  3. WannaCry IOCs – IP Addresses (wannacry_ip_addrs)
  4. WannaCry IOCs – DNS Domains (wannacry_domains)
  5. WannaCry Infections – Local Endpoints (wannacry_infected_endpoints)
  6. WannaCry Remediations – Local Endpoints (wannacry_remediated_endpoints)
  7. WannaCry Patches – Local Endpoints (wannacry_patched_endpoints)

Note: The playbooks will use the custom list naming specified above (e.g. wannacry_hashes).  If you do not have a custom list with that name already created on your Phantom platform, the playbook will automatically create one for you.  

Playbook: WannaCry Hunting (wannacry_hunting)

wannacry_hunting_2

  1. This playbook operates on these assets: Carbon Black and ServiceNow.
  2. The playbook uses IP Address and File Hash IOCs, stored in custom lists, as input parameters to the hunting actions.  
  3. The results from the Carbon Black hunt file  and list connections actions are checked against the wannacry_infected_endpoints custom list to determine if the infections are already known.
  4. Hunting results associated with new infections are passed into a formatting block in preparation for ticket creation.
  5. The playbook then creates a ticket in ServiceNow with all of the information pulled from investigative actions.
  6. The action results can also be viewed from Phantom’s Mission Control interface where further actions or playbooks may be executed.

Playbook: WannaCry Investigate (wannacry_investigate)

wannacry_investigate_2

  1. This playbook operates on these assets: Carbon Black, ServiceNow, and VMware vSphere.
  2. The playbook operates against artifacts that have been ingested from a data source, signaling a security event.  
  3. The first decision block of the playbook determines if the source addresses associated with the event are known infected endpoints by checking against the wannacry_infected_endpoints custom list.
  4. The second decision block of the playbook is responsible for determining if any of the artifacts ingested are present in the custom lists containing WannaCry IOCs.
  5. Meeting the second condition suggests the security event is part of the WannaCry outbreak.
  6. Investigative actions are executed using Carbon Black to obtain as much information about the system as possible.
  7. Affected endpoints are added to the wannacry_infected_endpoints custom list.
  8. If the system is a VM, a snapshot is taken using VMware vSphere for forensic and backup purposes.
  9. The information obtained is formatted appropriately for submission to a ticketing system or email.
  10. A ticket is created using ServiceNow that indicates a WannaCry event has been confirmed.

Playbook: WannaCry Remediate (wannacry_remediate)

wannacry_remediate_2

  1. This playbook operates on these assets: Carbon Black, VMware vSphere, and the Phantom agent.
  2. To start, there is a check against the wannacry_remediated_endpoints custom list to ensure the endpoints in question have not already been remediated.   
  3. The next decision block will determine if any of the artifacts ingested from the data source are present in the custom lists containing IOCs associated with the WannaCry outbreak.
  4. The endpoints related to all new matches are investigated further first by determining if the endpoint is a VM.  Depending on whether the system is a VM or not, a series of remediation actions are taken.  
  5. In either case, where the system is a VM or a bare metal server, processes associated with WannaCry are terminated, relevant file hashes are blocked, and relevant IPs are blocked.   This is all done directly on the endpoint using Carbon Black and the Phantom Agent.
  6. In parallel to blocking actions above, the playbook will take action on the file system by reverting the VM (applicable to a VM) or deactivating the partition (applicable to a bare metal server).
  7. At the end of the playbook, the affected endpoints are added to the wannacry_remediated_endpoints custom list.

Playbook: WannaCry Prevent (wannacry_prevent)

wannacry_prevent_2

  1. This playbook operates on these assets: Carbon Black, Phantom Agent, and Service Now.
  2. First, the playbook compares the list of target endpoints against the wannacry_patched_endpoints custom list to eliminate redundant processing.
  3. Next, the playbook obtains a list of all endpoints being managed by Carbon Black.
  4. The filter block is responsible identifying which systems are Windows platforms.
  5. For the identified Windows platforms, Carbon Black is used to identify the OS installation version.  A filter block is used to identify the Windows systems that are not up to date and are therefore vulnerable to WannaCry.
  6. A ticket is created in ServiceNow containing a list of all of the endpoints that are not sufficiently patched.
  7. Windows update (wauctl.exe) is then remotely executed on all of the unpatched systems.
  8. After patching, there is a follow on check to ensure the hotfix was applied to the system.
  9. If the hotfix failed to apply, the ticket is updated to reflect which systems failed to update.
  10. Any affected systems are added to the wannacry_patched_endpoints custom list.

Custom List: WannaCry IOCs – File Names (wannacry_file_names)

File names include:

@Please_Read_Me@.txt
@WanaDecryptor@.exe
@WanaDecryptor@.exe.lnk
Please Read Me!.txt
tasksche.exe
qeriuwjhrf
131181494299235.bat
176641494574290.bat
217201494590800.bat
!WannaDecryptor!.exe.lnk
00000000.pky
00000000.eky
00000000.res
taskdl.exe

This Custom List should contain the known file names associated with WannaCrypt. Be sure to regularly update this list with the latest threat intelligence. Microsoft provides a list of file names associated with the ransomware malware on their blog. You can access that article here.

Custom List:WannaCry IOCs – File Hashes (wannacry_hashes)

File hashes include:

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56
21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd
2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32
9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf
fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb
043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2
57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b
85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301
aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c

This Custom List should contain the known file hash values associated with WannaCrypt. Be sure to regularly update this list with the latest threat intelligence. Microsoft provides a list of file hash values associated with the ransomware malware on their blog. You can access that article here.

Custom List: WannaCry IOCs – IP Addresses (wannacry_ip_addrs)

IP Addresses include:

197.231.221.221
128.31.0.39
149.202.160.69
46.101.166.19
91.121.65.179
2.3.69.209
146.0.32.144
50.7.161.218
217.79.179.177
213.61.66.116
212.47.232.237
81.30.158.223
79.172.193.32
38.229.72.16

This Custom List should contain the known IP Addresses associated with WannaCrypt, with most being Command and Control (CnC) servers. Be sure to regularly update this list with the latest threat intelligence. IBM X-Force has created a collection on their X-Force Exchange platform that includes IP Addresses associated with the ransomware malware. That collection can be found here.

Custom List:WannaCry IOCs – DNS Domains (wannacry_domains)

DNS Domains include:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Rphjmrpwmfv6v2e.onion
Gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

This Custom List should contain the known DNS Domains associated with WannaCrypt. Be sure to regularly update this list with the latest threat intelligence. Microsoft provides DNS Domains associated with the ransomware malware on their blog. You can access that article here.

Next Steps

On Platform

If you already have the Phantom Enterprise or Community Edition, these new playbooks will appear after the platform’s next sync with the Github repository Phantom Cyber / Playbooks. To manually synchronize the repository with Github, be sure to check the “Force Update” box when updating from source control in the Playbook listing page. If you need to download Phantom to get started, you can do that here.

Jam Session

Join us this Wednesday for our next Phantom Jam Session. The WannaCry Ransomware will be the topic for this session. Register here.

 


References:

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

http://blog.talosintelligence.com/2017/05/wannacry.html

https://securingtomorrow.mcafee.com/business/analysis-wannacry-ransomware-outbreak/