Wannacry (WanaCrypt0r) - How Umbrella is protecting users

Introduction

A major ransomware attack broke on Friday, May 12 2017, impacting many organizations throughout the world. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. This service notification explains how Umbrella is protecting its users from WannaCry.  

Explanation 

Umbrella is blocking the domains that the WannaCry ransomware calls out to. All communications tied to this malware, including DGA domains and IP addresses, have been confirmed to be on our block list. We first observed requests for WannaCry's kill switch/anti-sandbox domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, and it was added to the Newly Seen Domains (NSD) security category. Umbrella customers blocking the NSD category were protected at the earliest possible point. At 10:12 UTC, the domain was categorized as malware and blocked for all users.

The malware author built in this kill switch in case they chose to stop the attack. By blocking this kill switch domain, Umbrella prevents the ransomware from running on the machine. The malware makes a HTTP call to a specific domain before executing its payload, and if there is a response, the payload is disabled. With Umbrella blocking the domain, the request is responded to with the IP of our block page rather than NXDOMAIN. This is enough to activate this kill switch and prevent the encryption from taking place. 

However, as with any ransomware, the Umbrella service cannot prevent encryption once the ransomware has already infected a system. Further information about how this malware works can be found on a blog post made by our Talos team below which contains some good recommendations, including details of the MS patch to apply:


http://blog.talosintelligence.com/2017/05/wannacry.html

Quick reference section:

Below are some useful links and suggestions:

• Patches, including any out-of-band patches for unsupported OS’s, since Microsoft has been kind enough to release patches for XP, 2003, etc... years after the end of support.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

• Steps to disable the deprecated SMBv1 to prevent spread.

https://support.microsoft.com/en-us/help/2696547

• Checking patches are installed - This command gives the list of kb's installed:

'wmic qfe list'

• Consider closing public facing SMB ports (139, 445) 

If you have further questions, please contact Umbrella support.