Update: Read our latest blog post on our newly released WannaCry Application

As WannaCry has wrecked havoc over the weekend, many organizations will face the impact of the malware during the beginning of the week. WannaCry is a ransomware attack that exploits the MS17-010 vulnerability.

Infection

After exploiting the vulnerability the malware attempts to connect to a domain:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

The malware expects the connection to fail and then proceeds to install and infect the system. As such LogPoint users can quickly inspect their networks by searching for the domain name and identifying machines that are infected.

A malware researcher has registered the domain, so now the malware does not install, but keep in mind that the systems are still vulnerable to the Microsoft Windows vulnerability. If a connection is seen in this domain, it does indicate the machine was compromised.

Queries to detect the infection:

  url="http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address

 domain=“iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address

Typically more malware examples come along, to infect these vulnerabilities; LogPoint will actively monitor the research and publications and provide updates and queries as more research is carried out.

*UPDATE*

The WannaCry variant of the malware is not “Proxy aware”.
This means that if your organisation uses a proxy to filter access to the Internet, the kill-switch is not active.
 
Additionally, the WannaCry and WannaCry2 variants both infect the USER32.DLL file in system32. To detect this in LogPoint, enable the FileIntegrity Monitoring and make sure to monitor all critical files – an example of a positive indicator here would be similar to this:
 
To detect the infection implement the query as follows:
action=“CHANGE FILE” file_path=“C:\Windows\System32\user32.dll” | chart count() by device_name

Both LogPoint and LogPoint Free can easily detect WannaCry. Contact us at [email protected]