WannaCry Yet?

Some simple techniques to guard against wcry variants.

This is just a quickie blog post to follow up on WannaCry ransomware that dropped last Friday. There are some things you can do, aside from the obvious of making sure you’re up to date on patches. MS17–010 is the patch fixes the Server Message Block version 1 (filed as CVE-2017–0144) vulnerability used by WannaCry to exploit this vulnerability and spread the ransomware. Notably, Microsoft released patches for Windows XP and Server 2003, which are officially no longer supported and don’t normally receive patches.

Set .js files to open in Notepad

This is relatively simple and it prevents the .js payload from executing on a double-click. Many crypto-viruses use .js as a vector, so this is just good hygiene.

Create a GPO and link it to wherever your heart desires, but make sure it has the following setting:

User Configuration -> Preferences -> Control Panel Settings -> Folder Options -> Open With

Action: Replace
File Extension: js
Associated Program: %windir%\system32\notepad.exe
Set as Default: Enabled

Disable SMBv1 on Workstations with PowerShell

You can run this on all your workstations numerous ways, and it probably will depend on your environment. More than likely you’ll use WinRM. Here’s the one liner:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Disable SMBv1 on Servers with PowerShell

Same as above, just with your server OSes.

Set-SmbServerConfiguration -EnableSMB1Protocol $false

You can also make sure that VSS is turned on (although many ransomware variants will turn this off and delete the shadow copies prior to encrypting). If you are feeling experimental, hackerfantastic has created WCRYSLAP which stops the malware from spreading around your environment.

Don’t block the Kill Switch domains

For unknown reasons, WannaCry checks for a special domain as a killswitch. MalwareTechBlog accidentally discovered that, if the domain didn’t exist, WannaCry would execute normally. If the domain did exist, it would execute and exit, without encrypting any files. Outbound calls to these domains can also be used to detect the presence of WannaCry on a network.

We’ve heard conflicting reports of whether WannaCry is proxy-aware and therefore whether or not it can successfully hit this domain through an enterprise proxy server. Finally, it is noteworthy that the first domain listed is the original, but the following three were achieved by modifying the original malware, and had the effect of corrupting the ransomware payload. The result with the latter three below is that these versions will still spread themselves, but won’t encrypt files. Finally, there are reports of a version that has no kill switch, so don’t get too comfortable — the ideal resolution is to apply the Microsoft patch.

The four domains observed in the wild so far are:

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com

No, someone didn’t pull a fast one on us with that last one — the common theory is that some troll made the modification and re-released the modified version. Whatever the story, it’s in the wild. Don’t worry — each of these domains were registered by researchers and are sink-holed, meaning they hit a non-malicious web server serving no content.

We’ll keep following WannaCry and will update this post with any more defensive tips we uncover in our research.