Responding to WannaCry Malware

347

By Christian Have, VP Products & Innovation, May 13, 2017

 

Update: Read our latest blog post on our newly released WannaCry Application

 

As WannaCry has wrecked havoc over the weekend, many organizations will face the impact of the malware during the beginning of the week. WannaCry is a ransomware attack that exploits the MS17-010 vulnerability.

Infection

After exploiting the vulnerability the malware attempts to connect to a domain:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

The malware expects the connection to fail and then proceeds to install and infect the system. As such LogPoint users can quickly inspect their networks by searching for the domain name and identifying machines that are infected.

A malware researcher has registered the domain, so now the malware does not install, but keep in mind that the systems are still vulnerable to the Microsoft Windows vulnerability. If a connection is seen to this domain, it does indicate the machine was compromised.

Queries to detect the infection:

  url="http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address

 domain=“iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address

 

Typically more malware examples come along, to infect these vulnerabilities, LogPoint will actively monitor the research and publications and provide updates and queries as more research is carried out.

 

*UPDATE*

The WannaCry variant of the malware is not “Proxy aware”.
This means that if your organisation uses a proxy to filter access to the Internet, the kill-switch is not active.
 
Additionally, the WannaCry and WannaCry2 variants both infect the USER32.DLL file in system32. To detect this in LogPoint, enable the FileIntegrity Monitoring and make sure to monitor all critical files - an example of a positive indicator here would be similar to this:
Ransomewareblog 2
To detect the infection implement the query as follows:
 
action=“CHANGE FILE” file_path=“C:\Windows\System32\user32.dll” | chart count() by device_name

 

Both LogPoint and LogPoint Free can easily detect WannaCry. Contact us at info@logpoint.com 

Why LogPoint?

With LogPoint, you will discover a full enterprise SIEM solution. 

LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.

And the best part..? We have the most predictable licensing model in the industry.