WannaCry Ransomware-WORM targets unpatched systems

Yesterday, the world saw one of the most significant malware outbreaks for quite some time: our news feeds are full of the news of this cyber attack with institutions in many countries being impacted and reports of whole computer networks being shut down. The malware's ability to self-propagate was a significant change from what we have become used to in recent years, with possibly the most recent major outbreak of this type being the Conficker worm nearly a decade ago.

Updated Monday 15 May 2017.


Recent campaigns have tended to be in the form of trojans: pieces of malware that typically arrive on a machine via social engineering tactics and then conduct their malicious behaviour (be that data exfiltration, file encryption, or something else) locally on that machine. The malware used in this outbreak - named variously WannaCry, WCry, and WannaCrypt0r 2.0 - was ultimately of a different family: a worm. Worms have the ability to self-propagate once they are inside an organisation, spreading from machine to machine using unpatched vulnerabilities in the Windows operating system. In this case the malware used the EternalBlue vulnerability for which Microsoft made a patch available through MS17-010 in March 2017.

The initial entry to an organisation in this case appears to have been through a low-volume email campaign linking to a compromised website. If the email makes it through to an end user and they click on the link it starts a chain of events that leads to the download of the WannaCry ransomware worm. The malware then sets about finding vulnerable computers on the network, copying itself to these machines, encrypting their files, and demanding a $300 ransom.

The malware also changes the background on the affected machine.

The actors behind the malware appear to be using multiple Bitcoin wallets to receive payments. At the time of writing, the wallet referred to in the image above had received a total of 23 transactions totaling 4.266 Bitcoins (approximately $7,400 USD) [1], but this is likely only a small fraction of the revenue generated by this campaign.


Forcepoint users were protected from the initial email by our email, web security, and NGFW security products, but the nature of this attack is that one email missed or accidentally released from quarantine can leave an organisation vulnerable to having its systems encrypted. As we observed in our blog post on the Jaff ransomware earlier this week, taking a defence-in-depth approach to security ensures that an attack can potentially be stopped in several points along the kill chain.

As with any email-based campaign user education is a critical component of limiting these attacks: if self-propagating ransomware becomes the new paradigm the risks posed to organisations by a user - however unintentionally - following a malicious link or opening a malicious file are multiplied greatly. Beyond this, the MS17-010 vulnerability exploited by this malware has been patched for nearly two months. This goes some way to explain the significant variation in impact seen within different organisations and highlights the need for a robust and timely patching process.

As of 13 May 2017, it has been confirmed that the malware will not spread if it can contact a hard-coded 'kill-switch' domain: hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

As always, Forcepoint Security Labs will continue to investigate and monitor this new threat.


As expected, a new variant of WannaCry has been released without the kill-switch feature. The Forcepoint product suite continues to provide protection against this new variant.


In addition to the version identified with no kill-switch feature, an additional version with an alternate kill-switch has been positively identified: hxxp://www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

While the most obvious Indicators of Compromise (IOCs) for this campaign are the changed desktop background and ransom message shown above, a number of other behavioural artefacts have been documented which, in the absence of the ransom message, may be indicative of a partial or failed attack. These are listed below:

Kill-Switch URLs

Note Requests for these domains have, to date, only been recorded as shown above: i.e. an HTTP (not HTTPS) request for the www domain only, with no appended path.


Tor Hidden Service (Onion Site) Command & Control Servers

Note Connections to Tor nodes alone should not be treated as an IOC for WannaCry. These connections are relevant only when combined with other IOCs.


Requests to Tor Hidden Services must be made via the Tor network - the malware itself installs a Tor client to this end. As a result of this behaviour, organisations may see one or more Tor nodes being contacted by infected machines. Connections to Tor typically occur across port 9001/TCP, but many other ports (including 443/TCP) are also in use. The list of Tor nodes changes frequently, but several websites including torstatus.blutmagie.de and www.dan.me.uk/tornodes provide extensive lists of nodes against which observed IP addresses can be checked.


Ensure that the MS17-010 security update is installed on all Windows machines within the organisation.

Ensure that you have email and web security that can block malicious emails, block intermediate download stages with Real Time Security Signatures (RTSS), and provide URL wrapping for additional protection.

In line with Microsoft's guidance from 2016 [2], customers should consider disabling SMBv1 and other legacy protocols on all Windows systems [3] where this will not negatively impact the function of legacy systems within the environment.

For the time being, it may additionally be desirable to ensure that the 'kill-switch' domains are not blocked within your organisation in order to stop propagation of the malware. However, as with any whitelist entry, this should only be employed for long enough to ensure that other, more permanent protections are in place.

For additional general guidance on ransomware, please visit https://www.forcepoint.com/ransomware.

Forcepoint customers can find product-specific guidance on ensuring their protection in the following Knowledge Base articles: