Update: Read our latest blog post on our newly released WannaCry Application
As WannaCry has wrecked havoc over the weekend, many organizations will face the impact of the malware during the beginning of the week. WannaCry is a ransomware attack that exploits the MS17-010 vulnerability.
Infection
After exploiting the vulnerability the malware attempts to connect to a domain:
The malware expects the connection to fail and then proceeds to install and infect the system. As such LogPoint users can quickly inspect their networks by searching for the domain name and identifying machines that are infected.
A malware researcher has registered the domain, so now the malware does not install, but keep in mind that the systems are still vulnerable to the Microsoft Windows vulnerability. If a connection is seen in this domain, it does indicate the machine was compromised.
Queries to detect the infection:
url="http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address
domain=“iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address
Typically more malware examples come along, to infect these vulnerabilities; LogPoint will actively monitor the research and publications and provide updates and queries as more research is carried out.
*UPDATE*
action=“CHANGE FILE” file_path=“C:\Windows\System32\user32.dll” | chart count() by device_name
Both LogPoint and LogPoint Free can easily detect WannaCry. Contact us at [email protected]