What our honeypots taught us about Wannacry ransomware
May 23, 2017
WannaCry has been on the lips, and especially in the concerns of everyone these last days. As we have addressed in recent posts, Friday, 12th May, marked the beginning of a massive global campaign to spread the WannaCry ransomware (a.k.a. WCry, WannaCrypt, WCrypt, WannaCrypt0r…). The ransomware spreads through a worm that uses the recently leaked ETERNALBLUE exploit, which takes advantage of a SMBv1 vulnerability. Despite the availability of Microsoft’s security update released in mid-March, businesses largely failed to update their systems, which made possible the massive infection.
Our honeypot infrastructure received hits in the port 445 (used by the SMB service) with an easily observable raise of connections at the start of WannaCry’s campaign last Friday.
Here are some statistics of the traffic observed in our systems:
With an average of daily connections around 520 until Thursday, 11th May, there is an increase of 540% on Friday, with a maximum of 3330 connections. The trend remained stable on Saturday and started to decrease on Sunday with an average of 1350 daily connections, still being much higher compared to the prior week.
About the geographic distribution of the sources, the bulk of the connections were originated from Russia (21%), followed by China and the USA (18% and 13% respectively). The other connections followed a more uniform distribution regarding their geolocation.
However, we cannot expect all connections to be strictly related to WannaCry. When analyzing the fingerprints of the connections in order to guess the operating system used by sources, we saw the distribution detailed in the following chart. Note that this data was obtained by conducting a passive analysis of the connections’ metrics, being, therefore, an approximation.
There are minor subsets of connections from Linux or unknown operating systems, which can be labeled as habitual scans and attacks to SMB and could fit into the level of traffic observed prior to WannaCry’s campaign.
It is painfully obvious that the vast majority of the connections came from Windows operating systems, which are vulnerable to the ETERNALBLUE exploit and consequently targets of WannaCry. These vulnerable machines, once infected by WannaCry’s worm, start scanning random IP addresses. Their goal is to look for more Windows systems with the SMBv1 services exposed to the Internet, to again propagate itself.
The surprise was to find out that the main affected Windows system was Windows 7/8 and not the expected Windows XP, which lost Microsoft’s support back on 2014 (even though it also has received a patch due to the criticality of the threat). This picture provides a grim reminder of the consequences of not maintaining systems up to date with the latest security patches.
That’s why we would like to remind you about the importance to update your systems to be protected against this and other threats that take advantage of publicly known vulnerabilities. We strongly advise to patch all Windows systems with the MS17-010 security update to avoid infections in your network.
Blueliv will keep monitoring this threat during the following days to observe its evolution and provide more information to help fight it. Our honeypots are constantly acquiring new and fresh data about attacking IP addresses. Every month, we are detecting an average of 100.000 attack events, that we deliver in almost real-time through Blueliv Threat Intelligence feed. Speed is a critical factor: the faster you receive intelligence, the faster you can detect cyber-attacks. The intelligence shared is actionable, you can both:
- Ingest this intelligence within your SIEM; produce custom behavior analytics to monitor trends and anomalies and perform early detections of potential attacks.
- Optimize your current preventive measures by blocking these IP addresses to connect to your network assets.
To get more insights about this active threat, read the recent malware analysis published about WannaCry, and join Blueliv’s Threat Exchange Community to share and obtain more indicators of compromise. Join the Fight!