Fortinet – Critical Update: WannaCry Ransomware

re-post from Fortinet Blog 2017

Critical Update: WannaCry Ransomware

by RSS Aamir Lakhani  |  May 15, 2017  |  Filed in: Security Research

On May 12th, 2017 the ransomware WannaCry disrupted hundreds of organizations in dozens of countries. The ransomware encrypts personal and critical documents and files and demands approximately $300 USD in BitCoin currency for the victim to unlock their files.

It is important to note that Fortinet solutions successfully block this attack.

1. FortiGate IPS plugs the exploit

2. FortiSandbox detects the malicious behavior

3. Our AV engine detects the malware along with variants

4. Our Web filter identifies targeted sites and appropriately blocks or allows them

5. The FortiGate ISFW stops the spread of the malware

The worm-like behavior exhibited by this malware is due to an active probe for SMBv1 server port 445 on the local LAN searching for the presence of the Backdoor.Double.Pulsar. If the backdoor is present, the payload is delivered and executed through this channel. If not, a slightly less reliable exploitation route is taken.

For this reason, we are recommending that organizations (for now) block port 445 from the internet, or further, use NGFW capabilities to block the SMB protocol itself from the internet.

The malware is modular. This means that because it could grant the malicious actor super-user privileges on the infected device it would allow them to download additional malware and spoof URLs. In one case Fortinet observed, the malware first took advantage of vulnerability CVE-2017-0144 to gain access to the system. After that, a dropper was used to download ransomware that encrypts the files.

This vulnerability occurs because of an integer overflow when parsing a malformed Trans2 Request in the SMBv1 Server. Successful exploitation leads to code being executed in the context of the application. There is no need for authentication for this to be exploited, which has been key to the rapid onset of the outbreak in local area networks.


If the malware senses that a system has the Backdoor.Double.Pulsar installed, it will try to download and execute the payload using this method. Interestingly, in some samples we analyzed we discovered an unused flag to disable the DoublePulsar.

The malware is encrypted inside a dropper for a DLL encrypted with an AES key. Once executed, the malware drops a file named “t.wry.” The malware then uses the embedded AES key to decrypt the DLL that, once in memory, is loaded into the parent process, thereby never exposing the malware to disk. This is a feature that evades some AV engines.

There is support for 179 filetypes, and a key is generated for each file.

On Saturday, May 13th, a security researcher discovered the kill-switch for this malware. It was a DNS check on a domain name that at the time was unregistered. Once registered, the malware perceived that the domain was alive and the infection was halted.

Outbound TOR

The malware downloads a TOR client and starts to communicate to C&C servers via TOR protocol. We recommended that you block outbound TOR traffic. You can accomplish this on FortiGate devices by using the AppControl signatures.

You do this by going to security profiles, application control, and selecting add signature under “Application Overrides.”


Then add the Tor protocol:

You can now see it is being blocked

Make sure you use your application policy in a firewall policy to ensure it is activated.

Inbound TOR

Although, not necessarily needed, you might want to also consider blocking incoming traffic originating from the TOR network. Incoming traffic originating from the TOR network looks like any other Internet traffic. However, the origination point occurs on TOR exit nodes. A list of well-known exit nodes is listed and updated in the Fortinet Internet Service Database. You can use this pre-built list in a firewall policy.


If the malware is allowed to communicate, it will try to connect to several malicious domains. The Fortinet web filtering engine categorizes these known domains as malicious, and if configured correctly should block these domains as part of your firewall policies.

Kill Switch

The malware stops if it finds that the domain “www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” exists. While this domain originally did not exist, it does now as a malware researcher in the UK has registered it.

Note: Organizations that use proxies will not benefit from the kill switch. The malware is not proxy-aware, so it will not be able to connect to the kill-switch domain, and thus the malware will not be stopped.

For the kill switch to work the malware must be able to communicate with the kill switch domain. As it is in the best interest of having every opportunity to stop the malware, Fortinet has decided to not categorize the kill switch domain as malicious. However, reports as of May 14th, 2017 identified a version of the malware that bypasses the kill switch, making this an ineffective means of mitigation.

In fact, the kill switch now appears to be obsolete, as the attack is still ongoing and samples from these new waves include different domain names, or some don’t include a domain name kill switch at all.

Fortinet Protections to date

FortiGuard Labs is actively working with our CTA partners to share threat intelligence and ensure that all organizations have accurate information in order to ensure they are protected from this active threat.

Fortinet provides two primary IPS signatures to detect against the attack. They are:


(released March 14th, 2017, updated May 10th, 2017)


(released February 27th, 2017, updated May 1st, 2017)


Fortinet Anti-Malware/Anti-Virus engines have smart signatures enabled to detect the malware, along with behavior-based models to detect possible new variants.

The AV signatures are:
















Please note, some AV signatures require FortiGate devices to be configured using the extended antivirus definitions. In your FortiGate device you will want to select system, FortiGuard, and then enable extended AV and Extended IPS if available. Don’t worry if it is not. Many of our devices use this as the default option.

If the malware is allowed to execute, the malware will run the command icacls . /grant Everyone:F /T /C /Q  ,which gives full permissions to all files and folders where the malware is stored. Additionally, the malware clears windows shadow copies, disables Windows startup recovery, and clears the Windows Server Backup history.

After that, the encryptor will execute and make the files inaccessible. Once the ransomware executes, users get a similar warning message to the one shown below.

The ransomware will also drop a file named !Please Read Me!.txt with further instructions. The name of the file may change slightly with each infection.

The quick and easy money opportunity provided by ransomware makes it easy to see why it remains extremely profitable for attackers. How many users are paying the ransom? It is difficult to tell, because malware authors use multiple Bitcoin wallets to hide their tracks and are continuously transferring Bitcoins to and from these wallets.

Once infected, victims can try and recover their files through backups or other methods or pay the ransom. Below are links to three blockchain sites that gives some indication of the ransoms that have been collected. At the time of writing, the value of 1 Bitcoin equivalent to $1,784.90.



Total Received: 9.41458497 BTC



Total Received: 5.17934856 BTC



Total Received: 7.1629281 BTC



Total Received: 1.09469717 BTC


With just these three wallets linked to Wannacry, the ransomware has collected over $38, 833.82 USD from victims.


Finding the Malware

The Fortinet security fabric can greatly assist organizations in tracking down this malware and understanding where it may have infected the organization.




Observed C&C IPs
















Observed hash values SHA-256


SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack

Re-posted from SonicWall Blog

WannaCry Ransomware

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.



Some Things Will Remain Unchanged

At the forefront of South East Asia’s blooming internet security and networking market, D-Synergy has remained one of the fastest-growing value-added distributors of cutting edge internet security and networking technology, satisfying customers with its attractive products as well as a sound business continuation policy.

The road to modern success however, was not easy. Managing Director Doreen Sim began her entrepreneur journey way back before her company’s establishment, where she worked multiple part-time jobs to gather enough money to pay for her university education and other expenses. Then in 1998, fresh out of university and armed with a degree in political science, Doreen plunged headfirst into the emergent ICT industry, despite having no prior engineering training or IT experience. She had to both cope with quickly learning the ropes of this challenging industry while trying to formulate and then execute a realistic business survival program.

[Read more…]

除夕不巧落在星期天 多数公司明天节前不“早放”

Zaobao (2012-01-19)




[Read more…]