FortiGuard Labs Threat Research

WannaCry FAQ - Take-aways and Learnings

By Aamir Lakhani | May 17, 2017

How does WannaCry spread?

WannaCry has multiple ways of spreading. Its primary method is to use the Backdoor.Double.Pulsar backdoor exploit tool released last March by the hacker group known as Shadow Brokers, and managed to infect thousands of Microsoft Windows computers in only a few weeks. Because DoublePulsar runs in kernel mode, it grants hackers a high level of control over the compromised computer system.

If the WannaCry malware senses that a system has DoublePulsar installed, it will try to download and execute its payload using this method. Interestingly, in some samples we analyzed we discovered an unused flag to disable the DoublePulsar.

If DoublePulsar is not available, WannaCry will spread via the SMB (Service Message Block) Protocol by taking advantage of a Microsoft vulnerability associated with the EternalBlue NSA exploit. Microsoft released a patch for this vulnerability for all supported versions of Windows in March 2017, and additionally released a patch for Windows XP and Windows 2003 on Friday, May 12, 2017 even though those versions are no longer officially supported. 

Once the malware has successfully breached a targeted system, WannaCry attempts to spread across the internal network, and also attempts to connect to random hosts on the Internet via SMB over ports TCP 139 and TCP 445.

There are also some rumors of an RDP-based exploit (Remote Desktop Protocol), dubbed ESTEEMAUDIT, being used as one of the primary vectors for infecting corporations. Be sure to understand your environment.

Do you have any interesting observations on DoublePulsar?

Fortinet detected approximately 6,000 attempts to exploit or probe DoublePulsar on April 27th, and 16,000 attempts on April 28th. DoublePulsar seems to have been distributed silently over a period of weeks, and was then used as the main attack vector for WannaCry because that there were tens of thousands of machines already waiting with a back door open. We saw some spikes in DoublePulsar activity days before WannaCry, which may mean attackers were probing our staging attacks. While there is no evidence to assume this was related to the WannaCry campaign, it was an interesting observation.

Can I just block TCP 139 and TCP 445 and RDP?

While this would certainly block the malware from infecting that the system, keep in mind that many Windows applications may also need these ports. Simply blocking them may have an effect on essential business traffic. The best course of action is to apply the Microsoft Patch MS17-010.

If I applied the Microsoft patch would I be vulnerable to WannaCry?

No. Systems patched with Microsoft Patch MS17-010 will not be vulnerable to the malware infecting their systems.

What if I disable SMB version 1?

The malware appears to only spread through SMB version 1. However, some later versions of SMB are backwards compatible with version 1, which you may still be vulnerable if you do not also patch your system.

Many are calling this attack “massive” and the “most widespread” ransomware attack because it was able to reach over 100 countries and infect over 200,000 systems in 48 hours. Is that an exceptional rate for the spread of ransomware, or is this newsworthy because it happens to be associated with a ransomware for other reasons, such as its wormlike behavior, its visible impact to NHS, its exploitation of an XP vulnerability not initially patched by MS, etc?

Some researchers would say it is of noteworthy due to the vector and the speed at which it can spread (without user interaction), as well as in terms of actual size of the infection. However, we have seen attacks with a similar size and widespread nature before, such as the CryptoLocker/CryptoWall. In that case there were close to a million devices eventually infected, but it did spread as viciously.

Is this a Zero Day attack?

Technically no, this is malware that is taking advantage of a known vulnerability.

Does the modular nature of the code, which is a function of joint development, simplify the creation of variants? 

The code is what most people would consider modular. However, that has not resulted the wide spread distribution of variants. Most attacks these days follow a similar modular approach. To stop them it is necessary to have a comprehensive security solution that can detect and prevent infections at multiple stages of such an attack.

Is there a new variant in the wild?

While researchers have identified a number of similar malware samples,  many of these have turned out to simply be edited versions of the WannaCry malware that affected systems over the May 11th weekend. Many of these edited versions include simple changes that appear to have been made by a hex editor, and not by recompiling the code, which a true variant would usually require. For example, there are samples being uploaded to VirusTotal that have only had the domain name changed to something else.

Does WannaCry use TOR?

The malware package includes a segment named WannaCrypt0r. This portion downloads a TOR client from https://dist[.][.]zip and extracts it into the TaskData folder of the affected system. This TOR client is used to communicate with the ransomware’s C2 servers at gx7ekbenv2riucmf[.]onion, 57g7spgrzlojinas[.]onion, xxlvbrloxvriy2c5[.]onion, 76jdd2ir2embyv47[.]onion, and cwwnhwhlz52maqm7[.]onion.

Was the Fortinet Sandbox able to detect the malware before any signatures were released? What about new variants?

Yes, our product team has confirmed that FortiSandbox can detect even unknown and edited versions of the malware by behavior alone. We are also seeing new edited versions of the malware constantly. To date, our current protections have been able to detect them as well. behavior alone.

Were the WannaCry infections started via a phishing campaign?

There are theories that WannaCry was originally started through phishing emails, but so far there has not been any evidence to support this theory. While we aren’t exactly certain how the WannaCry infections began, US-CERT is allegedly saying that it could leverage the ESTEEMAUDIT exploit against RDP on Windows XP / Server 2003.

Wait, no one knows how WannaCry initially infected organizations?

Not at this time, no. But it is early. Most organizations have been busy with recovery. We don’t believe that what we have seen is the result of a conspiracy. Most likely, further details will be revealed through normal incident response and forensic analysis processes over the next several days or weeks.

Of the major ransomware families (Locky for example), it common for the initial installation to require user action (such as clicking on an attachment.) So is it fair to say that one of the key differences seen with WannaCry is its ability to initially install without user action? 

Unlike previous ransomware attacks, the actual WannaCry malware is spread without user interaction. But the initial infection initiation vector is still unknown. We don't yet know what its initiation vector is, or what kind of interaction (if any) is required. This is primarily because we simply don't yet know who or what patient zero is.  

What is the “killswitch” domain mentioned in conjunction with WannaCry?

The WannaCry variant that hit over the May 11th weekend included code causing the malware to attempt to connect to a specific domain when it starts up, and if it could connect to this domain, it would terminates. Since the discovery of this code, killswitch domains known to be associated with WannaCry have been registered and are currently being hosted by researchers. Fortinet has categorized this domain as information research.

Does access to the killswitch domain mean WannaCry has been disabled?

If the original version of the WannaCry malware was able to reach its associated killswitch domain, it would terminate instead of encrypting files. However, it appears some versions have had this need to connect to a killswitch domain edited out via a simple hex editor. As a result, this killswitch may have been rendered obsolete for subsequent variants.

What if access to the killswitch domain is blocked, or a proxy is used to access the Internet?

If access to the WannaCry killswitch domain is blocked by a security tool, or due to other network configuration, the malware will continue to encrypt. For example, WannaCry does not have proxy support. So if a proxy is required to reach the Internet, communication to the killswitch domain (as well as infection attempts to Internet hosts) will fail. 

I have been hearing about Uiwix malware. What is it, and does Fortinet protect against that malware?

Uiwix appears to be a new strain of WannaCry. It also exploits the same SMB vulnerability. It was written about here.

At the time of writing, we have not seen any samples specific to this malware, so it is difficult to say if we protect against it. We have also not been able to find any samples or hashes on the malware to analyze. We have reached out to several research partners, the Cyber Threat Alliance, and even to a few of our friends. However, neither the malware nor the hash have yet to appear on any of the channels we monitor.

That said, we expect that the IPS signatures for WannaCry and our dynamic AV signature generator system should detect and stop this threat as well.

What is the Jaff Malware?

Jaff Malware is a ransomware that was released around the same time as WannaCry. Many researchers at first, thought Jaff and WannaCry were variants of each other, or even the same malware. Jaff has primarily been spreading thru SPAM emails and other spearphishing type attacks. Early reports claiming the malware had some relationship with WannaCry now appear to be false. Fortinet is currently protecting against the Jaff ransomware.

I have noticed some default behavior on signatures when they are set to an action other than block. Can I change this setting before the Fortinet QA process is complete?

Fortinet may release signatures in some cases in monitor mode, and then change them to block after we ensure there are no false positives or errors with the IPS rules. Signatures are normally set to block after adequate testing. If you would like to change the default behavior of any signature before Fortinet changes the behavior, you may do so by following these steps on your FortiGate devices:

  • Go to Security Profiles, Intrusion Prevention.
  • Click on Add Signature, and then search for the name of the signature. When found, select it and click the add signature button.
  • When the signature has been added, right-click on an action to change the default action.
  • Optional: You may also want to right-click on the logging option and change the default behavior.  

If you do not take any action, the rules will automatically be changed to appropriate settings thru FortiGuard service updates once they have been adequately tested.

Is anything known about who created/deployed WannaCry?

There are only rumors. Fortinet engineers found some reference pointing to the threat group KDMS. Read here.

Some evidence linking this to North Korea has also been found by Neel Metha, a Google researcher.

Do we provide defensive solutions for older FortiGate products?

The current signatures are available for FortiOS 4x and FortiOS 5x. Please ensure you have extended databases enabled. On older FortiGate devices you may need to reload the IPS signatures by issuing the command diag ips global rule reload. If you still do not see the appropriate signatures, please contact Fortinet TAC.

Are people paying the ransom?

Based on our monitoring of some of the associated Bitcoin addresses it appears that people are indeed paying the ransom.

Are people getting their files back after they pay?

Reports are stating some people are getting keys to unlock their files. However, paying does not guarantee your files will be released, nor does it guarantee you won’t get your files encrypted again. Some people that have paid the ransom are claiming that they did not get their files back. It appears that the process implemented is manual, and is not scaling.

What are the Bitcoin addresses?




If I am a remote employee, what is the best Fortinet product to use to protect against this malware?


How does Fortinet protect me?

We take a holistic approach, integrating Fortinet security solutions with other security vendors into a single, cohesive framework known as the Fortinet Security Fabric. It protects against ransomware from all threat vectors, including the #1 attack vector for ransomware, which is phishing email.

Fortinet Solutions include:

Detecting and identifying tomorrow's ransomware

FortiSandbox and other advanced detection techniques identify new ransomware and all of its variants, thereby creating the necessary actionable intelligence for remediation.

Critical to stopping never-before-seen ransomware is the automated local sharing of actionable intelligence between detection and prevention components within the Security Fabric. Mitigation across different organizations is achieved through FortiGuard global intelligence, and is extended to the public community through the Cyber Threat Alliance initiative.

Block today's ransomware

You can stop all known malware, including the latest ransomware, at all entry points to an organization with Fortinet's security solutions for networks, endpoints, applications, data centers, and access points – all powered by FortiGuard global threat intelligence.

Fortinet’s AV Engine protects against all known versions of the WannaCry malware. The Fortinet AV engine is installed on (but not limited to):

  • FortiGate
  • FortiSandbox Appliance
  • FortiSandbox Cloud
  • FortiMail
  • FortiClient
  • FortiWeb

Fortinet has IPS signatures that protect against the techniques used by this malware. Some configuration may be required to ensure all signatures are set to DROP. The Fortinet IPS Signature is available on (but not limited to):

  • FortiGate

Fortinet IP Reputation and Web Filtering protect against command and control communications. The Fortinet Web filtering and IP Reputation services are available on (but not limited to):

  • FortiGate
  • FortiClient
  • FortiSandbox Appliance
  • FortiSandbox Cloud
  • FortiMail
  • FortiWeb

AppControl signatures have the ability to block TOR protocols. Configuration is required to enable this. The Fortinet TOR AppControl is available on (but not limited to):

  • ForitGate

Fortinet provides a number of products to detect if infections exist or if malicious communications are occurring related to the compromised systems on a network. These devices can also assist in incident response.

  • FortiSIEM
  • FortiAnalyzer
  • FortiCloud

Data Segmentation and Internal Segmentation Firewall

As part of security best practices, in addition to following the steps outlined in the FAQ above, ensure that your network is appropriately segmented to protect against its spreading across your network using the ransomware’s wormlike behavior.

Data segmentation, backup, and recovery are essential strategies for organizations concerned with security threats, including ransomware, as well as other scenarios such as disaster recovery, audit, and many others.

You can dramatically improve your security by adding FortiGate Internal Network Segmentation Firewalls to your network to prevent the proliferation of threats once they get inside. ISFWs provide network segmentation inside the perimeter. They may sit in front of specific servers that contain valuable intellectual property, or a set of user devices or web applications sitting in the cloud.

  • Fortinet ISFW (Internal Segmentation Firewall).