• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Ransomware • Security  /  WannaCry’s Never Say Die Attitude Keeps It Going!
22 June 2017

WannaCry’s Never Say Die Attitude Keeps It Going!

Written by Pradeep Kulkarni
Pradeep Kulkarni
Ransomware, Security
Estimated reading time: 3 minutes

Over the past few months, the cybersecurity world was at buzz due to the infamous WannaCry ransomware attack. The attack was launched on a massive scale. The campaign started after the disclosure of NSA exploit leak by a hacker group called Shadow Brokers. Taking advantage of unpatched systems all over the globe, the attack spread across 150 countries. The WannaCry ransomware attack sought the exploit called ‘EternalBlue’. The worm-like functionality of this exploit made a deadlier impact by propagating to interconnected computers over Windows SMB protocol. Microsoft’s security bulletin MS17-010 addresses the vulnerabilities exploited in this particular attack.

This blog post will give an insight into the attack’s timeline and recent observations made around its existence till date.

Here is how it happened

Fig 1. Timeline of WannaCry ransomware attack
Fig 1. Timeline of WannaCry ransomware attack

 

On April 8, 2017, the NSA leaked exploits were made publically available by the Shadow Broker group. A week later, Microsoft issued a blog post stating its patches for the vulnerabilities targeted in the leaked NSA exploits. The exploits used in the WannaCry attack were patched in MS17-010 security bulletin released on March 14, 2017. As it’s quite visible from the above timeline (see Fig 1.), Quick Heal and Seqrite products were having the IDS/IPS detections to detect ‘EternalBlue’ and other exploits way before the first report of WannaCry got reported. Quick Heal Security Labs released an IDS/IPS advisory on May 13, 2017, to address this issue.

In addition to IDS/IPS (network based) detections, other detection mechanisms present in Quick Heal and Seqrite products were capable of detecting the WannaCry ransomware. This was the perfect example of how multi-layered security products such as Quick Heal and Seqrite could mitigate such severe attacks. The below-mentioned features played a crucial role in dealing with this attack.

  • IDS/IPS (Network-based detections)
  • Virus Protection (Host-based detections)
  • Behavior Detection System (Host-based behavioral detections)
  • Anti-ransomware system (Host-based behavioral detections specially designed to detect ransomwares)

Apart from above features, the “Backup and Restore” functionality turned out to be a useful tool for users to back up critical data on their machine.

The WannaCry attack continues

Even after more than a month since the WannaCry attack started, its traces still are seen to date. This clearly implies the existence of unpatched systems. We are still observing pings to ‘kill switch’ domains which were found in early WannaCry ransomware samples.

The ‘kill switch’ was referred to a domain name which was hard coded in WannaCry ransomware. If the domain was found alive, the WannaCry attack would stop.

Pings were seen to the below ‘kill switch’ domains,

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Fig 2. Pings seen to WannaCry ‘kill-switch’ domains
Fig 2. Pings seen to WannaCry ‘kill-switch’ domains

 

Although recorded pings for the above domains were not huge in numbers, they still show the existence of the attack.

The Passive DNS replication seen for the above domains look like the below:

Fig 3. DNS replication of ‘kill-switch’ domains
Fig 3. DNS replication of ‘kill-switch’ domains

 

IPS hits trend for Shadow Broker exploits

Soon after the WannaCry ransomware attack, the exploits were integrated into various campaigns such as EternalRocks, and Adylkuzz. Below is the detection hits trend for the Shadow Broker exploits.

Fig 4. IPS Hits Trend For Shadow Broker Exploits
Fig 4. IPS Hits Trend For Shadow Broker Exploits

 

Over 2 million hits have been recorded so far for all the Shadow Broker exploits. The dips are observed on weekends.

Conclusion

All the evidence discussed in this post clearly signifies the presence of the WannaCry ransomware attacks in the wild. Despite the available patches from Microsoft, there are still unpatched machines which are still at risk. The multi layered approach in Quick Heal and Seqrite products provides a good strong defence for such complex attacks. Quick Heal and Seqrite users are protected from the WannaCry ransomware attack. We strongly recommend users to apply the latest security updates released by Microsoft and also apply the latest security updates by Quick Heal.

Also Read

  • http://www.seqrite.com/blog/wannacry-ransomware-creating-havoc-worldwide-by-exploiting-patched-windows-exploit/
  • http://www.seqrite.com/blog/ms17-010-windows-smb-server-exploitation-leads-to-ransomware-outbreak/

 Previous PostChoosing a UTM Security Solution
Next Post  Mobile Device Management: The necessity to secure your enterprise
Pradeep Kulkarni
About Pradeep Kulkarni

Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...

Articles by Pradeep Kulkarni »

Related Posts

  • Thanos Ransomware adopts hyper-weaponized RIPlace tactics — collects huge pay-offs.

    Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic

    November 18, 2020
  • Hackers ransack businesses by riding on the modern-day Trojan Horse.

    PonyFinal Ransomware dubbed by many as the modern-day Trojan horse.

    August 26, 2020
  • Is your Router exposed to cyber threats

    Is your router exposed to cyber threats? Here is how to safeguard it.

    July 30, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • RAT used by Chinese cyberspies infiltrating Indian businesses RAT used by Chinese cyberspies infiltrating Indian businesses December 18, 2020
  • How can EdTech companies deal with rising security challenges? How can EdTech companies deal with rising security challenges? December 24, 2020
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Are we prepared against risks generating from the IoT revolution?

    Are we prepared against risks generating from the IoT revolution?

    January 15, 2021
  • Proactiveness is the key to resolving hybrid cloud’s security challenges

    Proactiveness is the key to resolving hybrid cloud’s security challenges

    January 6, 2021
  • How can EdTech companies deal with rising security challenges?

    How can EdTech companies deal with rising security challenges?

    December 24, 2020

Stay Updated!

Topics

Antivirus For Linux (10) Antivirus For Server (9) BYOD (9) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (274) cyber security (25) Cyber threat (29) cyber threats (44) Data (10) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) incident response plan (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (54) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.