{"id":84432,"date":"2017-06-22T12:47:59","date_gmt":"2017-06-22T07:17:59","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84432"},"modified":"2017-06-22T12:47:59","modified_gmt":"2017-06-22T07:17:59","slug":"wannacrys-never-say-die-attitude-keeps-going","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/wannacrys-never-say-die-attitude-keeps-going\/","title":{"rendered":"WannaCry&#8217;s Never Say Die Attitude Keeps It Going!"},"content":{"rendered":"<p>Over the past few months, the cybersecurity world was at buzz due to the infamous <a href=\"https:\/\/en.wikipedia.org\/wiki\/WannaCry_ransomware_attack\">WannaCry<\/a> ransomware attack. The attack was launched on a massive scale. The campaign started after the disclosure of NSA exploit leak by a hacker group called <a href=\"https:\/\/en.wikipedia.org\/wiki\/The_Shadow_Brokers\">Shadow Brokers<\/a>. Taking advantage of unpatched systems all over the globe, the attack spread across 150 countries. The WannaCry ransomware attack sought the exploit called \u2018EternalBlue\u2019. The worm-like functionality of this exploit made a deadlier impact by propagating to interconnected computers over Windows <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa365233(v=vs.85).aspx\">SMB<\/a> protocol. Microsoft\u2019s security bulletin <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a> addresses the vulnerabilities exploited in this particular attack.<\/p>\n<p>This blog post will give an insight into the attack\u2019s timeline and recent observations made around its existence till date.<\/p>\n<p><strong>Here is how it happened<\/strong><\/p>\n<figure id=\"attachment_84434\" aria-describedby=\"caption-attachment-84434\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-84434\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/Timeline-650x129.png\" alt=\"Fig 1. Timeline of WannaCry ransomware attack\" width=\"650\" height=\"129\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/Timeline-650x129.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/Timeline-300x60.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/Timeline.png 688w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84434\" class=\"wp-caption-text\">Fig 1. Timeline of WannaCry ransomware attack<\/figcaption><\/figure>\n<p>On April 8, 2017, the NSA leaked exploits were made publically available by the Shadow Broker group. A week later, Microsoft issued a <a href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/04\/14\/protecting-customers-and-evaluating-risk\/\">blog<\/a> post stating its patches for the vulnerabilities targeted in the leaked NSA exploits. The exploits used in the WannaCry attack were patched in <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a> security bulletin released on March 14, 2017. As it\u2019s quite visible from the above timeline (see Fig 1.), Quick Heal and Seqrite products were having the IDS\/IPS detections to detect \u2018EternalBlue\u2019 and other exploits way before the first report of WannaCry got reported. Quick Heal Security Labs released an IDS\/IPS <a href=\"https:\/\/blogs.quickheal.com\/ms17-010-windows-smb-server-exploitation-leads-ransomware-outbreak\/\">advisory<\/a> on May 13, 2017, to address this issue.<\/p>\n<p>In addition to IDS\/IPS (network based) detections, other detection mechanisms present in Quick Heal and Seqrite products were capable of detecting the WannaCry ransomware. This was the perfect example of how multi-layered security products such as Quick Heal and Seqrite could mitigate such severe attacks. The below-mentioned features played a crucial role in dealing with this attack.<\/p>\n<ul>\n<li>IDS\/IPS (Network-based detections)<\/li>\n<li>Virus Protection (Host-based detections)<\/li>\n<li>Behavior Detection System (Host-based behavioral detections)<\/li>\n<li>Anti-ransomware system (Host-based behavioral detections specially designed to detect ransomwares)<\/li>\n<\/ul>\n<p>Apart from above features, the \u201cBackup and Restore\u201d functionality turned out to be a useful tool for users to back up critical data on their machine.<\/p>\n<p><strong>The WannaCry attack continues<\/strong><\/p>\n<p>Even after more than a month since the WannaCry attack started, its traces still are seen to date. This clearly implies the existence of unpatched systems. We are still observing pings to \u2018<a href=\"https:\/\/www.theguardian.com\/technology\/2017\/may\/13\/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack\">kill switch<\/a>\u2019 domains which were found in early WannaCry ransomware samples.<\/p>\n<p><em>The \u2018kill switch\u2019 was referred to a domain name which was hard coded in WannaCry ransomware. If the domain was found alive, the WannaCry attack would stop.<\/em><\/p>\n<p>Pings were seen to the below \u2018kill switch\u2019 domains,<\/p>\n<p>iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com<br \/>\nifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com<\/p>\n<figure id=\"attachment_84435\" aria-describedby=\"caption-attachment-84435\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-84435\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/kill-switch-histogram-650x165.png\" alt=\"Fig 2. Pings seen to WannaCry \u2018kill-switch\u2019 domains\" width=\"650\" height=\"165\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/kill-switch-histogram-650x165.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/kill-switch-histogram-300x76.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/kill-switch-histogram-768x195.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/kill-switch-histogram-789x200.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/kill-switch-histogram.png 1075w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84435\" class=\"wp-caption-text\">Fig 2. Pings seen to WannaCry \u2018kill-switch\u2019 domains<\/figcaption><\/figure>\n<p>Although recorded pings for the above domains were not huge in numbers, they still show the existence of the attack.<\/p>\n<p>The Passive DNS replication seen for the above domains look like the below:<\/p>\n<figure id=\"attachment_84436\" aria-describedby=\"caption-attachment-84436\" style=\"width: 647px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84436\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/IPtable.png\" alt=\"Fig 3. DNS replication of \u2018kill-switch\u2019 domains\" width=\"647\" height=\"215\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/IPtable.png 647w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/IPtable-300x100.png 300w\" sizes=\"(max-width: 647px) 100vw, 647px\" \/><figcaption id=\"caption-attachment-84436\" class=\"wp-caption-text\">Fig 3. DNS replication of \u2018kill-switch\u2019 domains<\/figcaption><\/figure>\n<p><strong>IPS hits trend for Shadow Broker exploits<\/strong><\/p>\n<p>Soon after the WannaCry ransomware attack, the exploits were integrated into various campaigns such as <a href=\"https:\/\/github.com\/stamparm\/EternalRocks\">EternalRocks<\/a>, and <a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\">Adylkuzz<\/a>. Below is the detection hits trend for the Shadow Broker exploits.<\/p>\n<figure id=\"attachment_84437\" aria-describedby=\"caption-attachment-84437\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-84437\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/shadow_brokers_exploit_hits-650x206.png\" alt=\"Fig 4. IPS Hits Trend For Shadow Broker Exploits\" width=\"650\" height=\"206\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/shadow_brokers_exploit_hits-650x206.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/shadow_brokers_exploit_hits-300x95.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/shadow_brokers_exploit_hits-768x243.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/shadow_brokers_exploit_hits-789x250.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/shadow_brokers_exploit_hits.png 1227w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84437\" class=\"wp-caption-text\">Fig 4. IPS Hits Trend For Shadow Broker Exploits<\/figcaption><\/figure>\n<p>Over 2 million hits have been recorded so far for all the Shadow Broker exploits. The dips are observed on weekends.<\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>All the evidence discussed in this post clearly signifies the presence of the WannaCry ransomware attacks in the wild. Despite the available patches from Microsoft, there are still unpatched machines which are still at risk. The multi layered approach in Quick Heal and Seqrite products provides a good strong defence for such complex attacks. <strong>Quick Heal and Seqrite users are protected from the WannaCry ransomware attack.<\/strong> We strongly recommend users to apply the latest security updates released by Microsoft and also apply the latest security updates by Quick Heal.<\/p>\n<p><strong>Also Read<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/blogs.quickheal.com\/ms17-010-windows-smb-server-exploitation-leads-ransomware-outbreak\/\">https:\/\/blogs.quickheal.com\/ms17-010-windows-smb-server-exploitation-leads-ransomware-outbreak\/<\/a><\/li>\n<li><a href=\"https:\/\/blogs.quickheal.com\/wannacry-ransomware-creating-havoc-worldwide-exploiting-patched-windows-exploit\/\">https:\/\/blogs.quickheal.com\/wannacry-ransomware-creating-havoc-worldwide-exploiting-patched-windows-exploit\/<\/a><\/li>\n<li><a href=\"https:\/\/blogs.quickheal.com\/wannacry-ransomware-recap-everything-need-know\/\">https:\/\/blogs.quickheal.com\/wannacry-ransomware-recap-everything-need-know\/<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Over the past few months, the cybersecurity world was at buzz due to the infamous WannaCry ransomware attack. The attack was launched on a massive scale. The campaign started after the disclosure of NSA exploit leak by a hacker group called Shadow Brokers. Taking advantage of unpatched systems all over the globe, the attack spread [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":84329,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[1173,506,1464,50,1463,1462],"class_list":["post-84432","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","tag-exploit","tag-hack","tag-leak","tag-ransomware","tag-shadow-broker","tag-wannacry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84432"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84432"}],"version-history":[{"count":1,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84432\/revisions"}],"predecessor-version":[{"id":84438,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84432\/revisions\/84438"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84329"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}