Cyphort identifies harder to kill WannaCry Ransomware

May 15, 2017 by Mounir Hahad
Cyphort identifies harder to kill WannaCry Ransomware

In the course of our research on the massive WannaCry ransomware campaign that affected more than a hundred countries since Friday May 12, Cyphort researchers have come across a sample that will be much harder to stop using the now identified “kill-switch”: it is a sample that uses a Top Level Domain that cannot be registered!

In the blog posted on https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html, @MalwareTechHunter talks about registering a particular domain which acted as a kill switch to the ransomware campaign and slowed down its spread considerably. That in itself is a great achievement.

However, our sample uses a different domain to check for internet connectivity, one that cannot easily be sinkholed.
sha256: bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb

Here is a screenshot of the infection in our sandbox:

Indeed, this sample attempts to connect to this domain:

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.test

and since the DNS resolution fails, the sample goes on to start scanning machines on the internet for the SMB vulnerability to infect.

You can see below the DNS request to the site above, and after failure, a series of attempts over SMB to IP addresses on the internet.

Since this domain is in the .test TLD, it cannot be registered. This TLD is reserved by the IETF (Internet Engineering Task Force) for testing purposes only.

This sample has been submitted to Virus Total from 4 different countries: Germany, Australia, Denmark and South Korea. So this is unlikely to be just a researcher’s test. Regardless, this variant is in the wild now and it seems to be using the same bitcoin wallet as the original ransomware.

It seems that the cyber criminals found a smarter way to evade sandbox detection by checking on a site that researchers cannot sinkhole. This technique allows the malware to spread again unchallenged. It is crucial that people patch Windows machines as soon as possible to close the SMB vulnerability and stop the spread of this ransomware. In the meantime, make sure you have a good backup of your important files.

Our recommendation is:

  • If you host your own DNS server, add an entry for the .test Top Level Domain to resolve to any web server.
  • Make sure your systems are patched.
  • Disable SMBv1.
  • Keep backups and test your backups once in a while.

Cyphort Labs is continuing to monitor this strain for any new development. We will be updating this blog accordingly. Kudos to Paul from Cyphort Labs for this discovery.