WannaCry Ransomware Playbook

WannaCry Response Playbook

|

Download PDF

 

WannaCry Incident Response Plan

This response plan includes steps to contain the threat, hunt for existing infections, and remediation. Following is a list of tasks that should be performed across your organization.

 

These tasks can and should be parallelized. The patching process can be slower but it’s important to start as soon as possible, even while containment is taking place. We recommend automation platforms and using existing playbooks, if you have one available, to speed up this process.

 

Step 1: Contain the spread

WannaCry - Contain the Spread
Demisto’s WannaCry Playbook on how to control the spread of the attack. Click image for a larger version.

Step 2: Patch the vulnerability

  1. Deploy MS17-010 patch
    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
    Follow your emergency patching playbook. If you don’t have one, here are a few quick tips

    1. Start with the most business-critical systems.
    2. Start with servers that are hardest and lengthiest to restore from backups.
    3. Patch your test environment first – ensure that your applications continue working as expected.
    4. Test environments aren’t perfect. Wherever possible – Snapshot before applying the patches – and roll back if it breaks things then investigate.
  1. Patch legacy systems
    Following the scale of events, Microsoft have released a patch for Windows XP and Windows XP Embedded, available here:
    https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    and here:
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
  1. Check for other vulnerable machines
    Verify that your systems are patched and scan for any systems in your environment that you might have missed, using a vulnerability scanning tool like Qualys, Nessus, or whichever tools you have in place.
    Qualys QIDs relevant to WannaCrypt are listed here:
    https://blog.qualys.com/securitylabs/2017/05/12/how-to-rapidly-identify-assets-at-risk-to-wannacry-ransomware-and-eternalblue-exploit
WannaCry Patch Vulnerability
Demisto’s WannaCry Playbook on how to patch the vulnerability.

Step 3: Protect against current variants of Wannacrypt

  1. Sinkhole the kill-switch domains
    Redirect these domains to a web server in your control:
        hxxp://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
        hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comWannaCrypt does not encrypt files if it can successfully access these URLs. These two domains have been registered by @MalwareTechBlog and @msuiche but since they have been targeted by DDoS attacks. Just in case, you should sinkhole the domains in your own DNS servers and redirect them to a valid HTTP server in your control. Another reason to do this, and also of note –  WCry’s HTTP request to the killswitch domain will ignore proxy settings, and try to contact these URLs directly. If unable to sinkhole DNS, you may need to intercept its calls by other means, depending on your network architecture.
  2. Immunize your systems
    An host-based option to introduce prevention that doesn’t rely on exact hashes –
    Using Minerva Labs’ free Vaccinator tool:
    https://github.com/MinervaLabsResearch/Vaccinator/blob/master/README.md
    Other vaccinators have been published, but as explained by Minerva Labs in the link above, for the vaccinator to work, the mutex needs to be created in the same Windows Session where the exploited SMB service runs. Minerva’s vaccinator addresses this issue.
  3. Deploy IOCs
    1. MD5 Hashes 

3175E4BA26E1E75E52935009A526002C

7BF2B57F2A205768755C07F238FB32CC

DB349B97C37D22F5EA1D1841E3C89EB4

D5DCD28612F4D6FFCA0CFEAEFD606BCF

D724D8CC6420F06E8A48752F0DA11C66

31DAB68B11824153B4C975399DF0354F

4FEF5E34143E646DBF9907C4374276F5

509C41EC97BB81B0567B059AA2F50FE8

5BEF35496FCBDBE841C82F4D1AB8B7C2

638F9235D038A0A001D5EA7F5C5DC4AE

775A0631FB8229B2AA3D7621427085AD

7F7CCAA16FB15EB1C7399D422F8363E8

8495400F199AC77853C53B5A3F278F3E

84C82835A5D21BBCF75A61706D8AB549

86721E64FFBD69AA6944B9672BCABB6D

8DD63ADB68EF053E044A5A2F46E0D2CD

B0AD5902366F860F85B892867E5B1E87

B675498639429B85AF9D70BE1E8A8782

D6114BA5F10AD67A4131AB72531F02DA

DB349B97C37D22F5EA1D1841E3C89EB4

E372D07207B4DA75B3434584CD9F3450

F107A717F76F4F910AE9CB4DC5290594

F529F4556A5126BBA499C26D67892240

4DA1F312A214C07143ABEEAFB695D904

DB349B97C37D22F5EA1D1841E3C89EB4

3BC855BFADFEA71A445080BA72B26C1C

B9B3965D1B218C63CD317AC33EDCB942

808182340FB1B0B0B301C998E855A7C8

5C7FB0927DB37372DA25F270708103A2

66DDBD108B0C347550F18BB953E1831D

B6DED2B8FE83BE35341936E34AA433E5

509C41EC97BB81B0567B059AA2F50FE8

4DA1F312A214C07143ABEEAFB695D904

86721E64FFBD69AA6944B9672BCABB6D

 

SHA1 Hashes

5D68E2779E2CCCEE49188363BE6CDDBB0BAC7053

14249E7FB3FB6F4B363C47D5AAE9F46DAB2083C1

47A9AD4125B6BD7C55E4E7DA251E23F089407B8F

87420A2791D18DAD3F18BE436045280A4CC16FC4

50049556B3406E07347411767D6D01A704B6FEE6

AF7DB69CBAA6AB3E4730AF8763AE4BF7B7C0C9B2

8286354A6A051704DEC39993AF4E127D317F6974

45356A9DD616ED7161A3B9192E2F318D0AB5AD10

BD44D0AB543BF814D93B719C24E90D8DD7111234

BE5D6279874DA315E3080B06083757AAD9B32C23

5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467

8897C658C0373BE54EEAC23BBD4264687A141AE1

1BC604573CEAB106E5A0E9C419ADE38739228707

A52E025D579BEBAE7C64CB40236B469B3C376024

B8B49A36A52ABCF537FEBCBF2D09497BEE79987D

A1818054B40EC9E28BEBE518ECC92F4ECEAFFEF4

E889544AFF85FFAF8B0D0DA705105DEE7C97FE26

F3839C1CDE9CE18021194573FDF0CAE09A62172F

51E4307093F8CA8854359C0AC882DDCA427A813C

FB18818FC383330B401FC5B332CC63A5BBD4CD30

B629F072C9241FD2451F1CBCA2290197E72A8F5E

E889544AFF85FFAF8B0D0DA705105DEE7C97FE26

BC978DB3D2DC20B1A305D294A504BB0CEB83F95A

02408BB6DC1F3605A7D3F9BAD687A858EC147896

4FDAE49BE25846CA53B5936A731CE79C673A8E1F

120ED9279D85CBFA56E5B7779FFA7162074F7A29

432C1A5353BAB4DBA67EA620EA6C1A3095C5D4FA

64B8E679727E99A369A2BE3ED800F7B969D43AA8

87420A2791D18DAD3F18BE436045280A4CC16FC4

B629F072C9241FD2451F1CBCA2290197E72A8F5E

8897C658C0373BE54EEAC23BBD4264687A141AE1

 

SHA256 Hashes

7E369022DA51937781B3EFE6C57F824F05CF43CBD66B4A24367A19488D2939E4

9B60C622546DC45CCA64DF935B71C26DCF4886D6FA811944DBC4E23DB9335640

4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79

09A46B3E1BE080745A6D8D88D6B5BD351B1C7586AE0DC94D0C238EE36421CAFA

4186675CB6706F9D51167FB0F14CD3F8FCFB0065093F62B10A15F7D9A6C8D982

5AD4EFD90DCDE01D26CC6F32F7CE3CE0B4D4951D4B94A19AA097341AFF2ACAEC

00FDB4C1C49AEF198F37B8061EB585B8F9A4D5E6C62251441831FE2F6A0A25B7

B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25

2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD

2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D

ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA

C365DDAA345CFCAFF3D629505572A484CFF5221933D68E4A52130B8BB7BADAF9

201F42080E1C989774D05D5B127A8CD4B4781F1956B78DF7C01112436C89B2C9

CA29DE1DC8817868C93E54B09F557FE14E40083C0955294DF5BD91F52BA469C8

7108D6793A003695EE8107401CFB17AF305FA82FF6C16B7A5DB45F15E5C9E12D

7C465EA7BCCCF4F94147ADD808F24629644BE11C0BA4823F16E8C19E0090F0FF

24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C

4B76E54DE0243274F97430B26624C44694FBDE3289ED81A160E0754AB9F56F32

F8812F1DEB8001F3B7672B6FC85640ECB123BC2304B563728E6235CCBE782D85

DFF26A9A44BAA3CE109B8DF41AE0A301D9E4A28AD7BD7721BBB7CCD137BFD696

AEE20F9188A5C3954623583C6B0E6623EC90D5CD3FDEC4E1001646E27664002C

2372862AFAA8E8720BC46F93CB27A9B12646A7CBC952CC732B8F5DF7AEBB2450

43D1EF55C9D33472A5532DE5BBE814FEFA5205297653201C30FDC91B8F21A0ED

49FA2E0131340DA29C564D25779C0CAFB550DA549FAE65880A6B22D45EA2067F

616E60F031B6E7C4F99C216D120E8B38763B3FAFD9AC4387ED0533B15DF23420

49FA2E0131340DA29C564D25779C0CAFB550DA549FAE65880A6B22D45EA2067F

616E60F031B6E7C4F99C216D120E8B38763B3FAFD9AC4387ED0533B15DF23420

24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C

043E0D0D8B8CDA56851F5B853F244F677BD1FD50F869075EF7BA1110771F70C2

5D26835BE2CF4F08F2BEEFF301C06D05035D0A9EC3AFACC71DFF22813595C0B9

76A3666CE9119295104BB69EE7AF3F2845D23F40BA48ACE7987F79B06312BBDF

BE22645C61949AD6A077373A7D6CD85E3FAE44315632F161ADC4C99D5A8E6844

F7C7B5E4B051EA5BD0017803F40AF13BED224C4B0FD60B890B6784DF5BD63494

FC626FE1E0F4D77B34851A8C60CDD11172472DA3B9325BFE288AC8342F6C710A

09A46B3E1BE080745A6D8D88D6B5BD351B1C7586AE0DC94D0C238EE36421CAFA

AEE20F9188A5C3954623583C6B0E6623EC90D5CD3FDEC4E1001646E27664002C

C365DDAA345CFCAFF3D629505572A484CFF5221933D68E4A52130B8BB7BADAF9

Additional hashes published by US-CERT here


File extensions

*.WCRYT and *.WCRY

File names

b.wnry
c.wnry
s.wnry
u.wnry
t.wnry
r.wnry

Process names

mssecsvc.exe
tasksche.exe
taskse.exe
taskdl.exe

 

Domains

The kill-switch domains (above) should not be blocked – you can deploy them on watchlist / detect-only tools.

Most organizations block TOR but if somehow you allow it – watch for traffic to:

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

Mutex

MsWinZonesCacheCounterMutexA

Step 4: Hunt for WannaCrypt infections

Any identified endpoints should be quarantined quickly until they can be cleaned.

Network activity

          1. IDS/IPS logs
            Check for hits on signatures for WannaCrypt, MS17-010 and EternalBlue
          2. HTTP logs
            Look for HTTP traffic to the WannaCrypt kill-switch domains
          3. DNS logs
            Look for DNS requests for the WannaCrypt kill-switch domains
          4. Netflow / IP traffic logs
            Look for illicit TOR traffic (used for the WannaCrypt C&C)

Endpoint activity

Hunt for hashes, process names and names of newly created files on endpoints, using the IoCs above.

WannaCry Hunt for WannaCrypt Infections
Demisto’s WannaCry Playbook on how to hunt for WannaCrypt infections. Click image for a larger version.

Step 5: Review your backups

Ensure your critical systems have good offline backups – if your current setup has backups being sent over SMB to a vulnerable server – WannaCry would have hit your backups too.

Step 6: Harden your environment

          1. Reduce internet-facing services that create more attack surface – SMB should not be exposed.
          2. Segmentation – only enable traffic between machines that should be communicating.
          3. Deploy a generic anti-ransomware product
          4. Patch in a timely and comprehensive manner

 

Step 7: Communicate the threat to your users

Send out an email explaining the threat.
Include a screenshot of the ransom screen and request your users to report if they see it anywhere, including their personal devices and at home.
Explain the importance of patching, segmentation etc. despite the inconvenience and downtime involved.

Demisto’s WannaCry Playbook
Demisto’s WannaCry Playbook in its entirety. Click image for a larger version.

 

Author: Lior Kolnik, Head of Security Research @ Demisto

Automate this Playbook Now