This post is also available in: 日本語 (Japanese)
NOTE: Updated January 25, 2018
What Happened
On Friday, May 12, 2017, a series of broad attacks began that spread the latest version of the WanaCrypt0r ransomware, including worm-like tactics to infect additional hosts within the network. These attacks, also referred to as WannaCrypt or WannaCry, reportedly impacted systems of public and private organizations worldwide. Our Next-Generation Security Platform automatically created, delivered and enforced protections from this attack. We also highly recommend that users ensure they always have up-to-date protections in place as the WannaCry ransomware will continue to pose a persistent threat to unpatched systems.
How the Attack Works
While the initial infection vector for WanaCrypt0r is unclear, it is certain that once inside the network, it attempts to spread to other hosts using the SMB protocol by exploiting the EternalBlue vulnerability (CVE-2017-0144) on Microsoft Windows systems. This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017, and was addressed by Microsoft in March 2017 with MS17-010.
Microsoft published a post on protections from the WanaCrypt0r attacks here, and has taken the step of providing patches for versions of Windows software that are no longer supported, including Windows XP. Organizations that have applied the MS17-010 update are not at risk for the spread of WanaCrypt0r across the network, but given it addresses a remotely exploitable vulnerability in a networking component that is now under active attack, we strongly urge making deployment of this security update a priority.
Preventions
Palo Alto Networks customers are protected through our Next-Generation Security Platform, which employs a prevention-based approach that automatically stops threats across the attack lifecycle. Palo Alto Networks customers are protected from WanaCrypt0r ransomware through multiple complementary prevention controls across our Next-Generation Security Platform, including:
Detecting compromised hosts can be done through multiple methods:
For best practices on preventing ransomware with the Palo Alto Networks Next-Generation Security Platform, please refer to our Knowledge Base article. We strongly recommend that all Windows users ensure they have the latest patches made available by Microsoft installed, including versions of software that have reached end-of-life support.
Custom IPS signature:
Note: Check that the “entry name” does not match an existing custom IPS signature you have on your next-generation firewall, and update if needed. Do not set the action to “block,” as this will trigger the malware to perform destructive actions on infected hosts. As always, we recommend you review your policies to ensure you have configured the appropriate actions for all security policy rules. This signature is provided as a sample, and you should verify the effectiveness with your existing processes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
<spyware-threat version="8.0.0"> <entry name="15001"> <signature> <standard> <entry name="WannaCry Domains"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>\x29\xiuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 2"> <operator> <pattern-match> <pattern>\x29\xifferfsodp9ifjaposdfjhgosurijfaewrwergwea\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 3"> <operator> <pattern-match> <pattern>\x29\xiuqssfsodp9ifjaposdfjhgosurijfaewrwergwea\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 4"> <operator> <pattern-match> <pattern>\x29\xudhridhfowhgibe9vheiviehfiehbfvieheifheih\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 5"> <operator> <pattern-match> <pattern>\x29\xayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 6"> <operator> <pattern-match> <pattern>\x29\xiuqerxxxdp9ifjaposdfjhgosurijfaewrwergwea\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 7"> <operator> <pattern-match> <pattern>\x29\xiuqerfsodp9ifjaposdfjhgosurijfaewrwergwff\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 8"> <operator> <pattern-match> <pattern>\x29\xccncertnomorecryaadrtifaderesddferrrqdfwa\x03\xcom</pattern> <context>dns-req-section</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>protocol-data-unit</scope> </entry> </standard> </signature> <default-action> <alert/> </default-action> <threatname>WannaCry Domains</threatname> <severity>informational</severity> <direction>client2server</direction> </entry> </spyware-threat> |
Malicious domains:
1 2 3 4 5 6 |
uqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com udhridhfowhgibe9vheiviehfiehbfvieheifheih[.]com ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com iuqerxxxdp9ifjaposdfjhgosurijfaewrwergwea[.]com |
Change Log:
January 25, 2018:
May 13, 2017:
May 15, 2017:
May 17, 2017:
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.