Organizations Can Combat WannaCry & Jaff Ransomware With Well Instrumented DNS

By Special Guest
Mohammad Tabbara, Senior Systems Engineer, UAE & Channel at Infoblox
May 22, 2017

The Infoblox Intelligence Unit observed two global malware outbreaks on Friday, May 12. Although there is no indication that the two attacks were related, both were ransomware attacks with the goal of encrypting the victims’ files and demanding payment (mostly in the form of a Bitcoin payment) in order to decrypt them.

Several reports conflated the two outbreaks based on the evidence at hand and the common use of ransomware.  Subsequent investigation revealed that they were separate attacks utilizing different distribution capabilities and malware. It is important to understand the difference between the two attacks because each one requires slightly different remediation measures.

The first attack, WannaCry, is a self-propagating worm, which leverages a known and patched vulnerability in Microsoft Server Message Block (SMB). It leverages an exploit called ETERNALBLUE and goes on to establish a backdoor known as DOUBLEPULSAR to allow for future access to the infected systems. WannaCry spreads by connecting to SMB services on local and Internet-facing systems with the vulnerability of running the backdoor.  The malware then spreads laterally by attempting connections to all systems on the local network.

During its initial infection, WannaCry checks whether an external domain (killswitch domain) is available. If the killswitch domain can be

Mohammad Tabbara, Infoblox

contacted, the encryption function does not run.  The killswitch domains are not a command-and-control server for the malware and should be monitored but not blocked. Before May 12, the domains were not registered.  Shortly after the attack started, a malware researcher registered and sinkholed the first domain. This helped prevent a lot of later infections since the malware was able to resolve the domain. If left to run normally, WannaCry will encrypt most files on a machine. Once the files are encrypted, users will be prompted to pay $300 in Bitcoin to get their files back. The cost goes up to $600 if a user takes too long to pay, and eventually the user will be unable to pay to have files returned.  Note that Microsoft had issued a patch for the SMB vulnerability that was being exploited in March 2017. That patch was not universally implemented.

While the world was preoccupied with WannaCry, there was another ransomware attack in progress called Jaff. The Jaff ransomware was launched by Necurs, one of the largest botnets in the world, notorious for spreading threats such as the Locky ransomware and the Dridex banking Trojan. It sends misleading emails to its victims encouraging them to open an attached PDF document. This document asks for additional permissions when opened and, if approved, allows the delivery and execution of the ransomware payload. The emails used to deliver Jaff employ standard spam techniques, but the exact details vary between each of the concurrent campaigns.

Once Jaff has been downloaded and executed by the malicious document, it connects to its C2 servers to communicate that encryption of the victim’s files has begun. Jaff then proceeds to encrypt the victim’s files, instructs the victim to install Tor Browser, and directs the users to a specific website that displays a ransom note and payment instructions. The exact amount demanded by the ransom varies over time, but currently averages around 2 Bitcoin (roughly $3,500 dollars).

 Best Practice Recommendations

In the face of these attacks, organizations in the Middle East are asking what they can do.

  • Implementing patches in a timely manner: WannaCry’s reliance on a known vulnerability and network scanning indicates that some traditional defenses may be effective. Ensuring timely software updates and keeping systems patched would eliminate the vulnerability and the worm’s ability to spread through that exploit. 
  • Sinkholing: Unlike the typical command-and-control domains, which should be blocked, WannaCry used a killswitch domain which had to be resolved in order to avoid activating the ransomware’s encryption function. One best practice is for an enterprise to redirect its internal request for those domains to an internal sinkhole. Permitting the infected client to successfully connect to the killswitch domain will prevent the encryption function from completing. It will also enable the enterprise to identify its internal hosts that have been impacted by the malware.
  • DNS Response Policy Zone (RPZ) capability: Using RPZ capability on the DNS server to monitor any hits to the killswitch domain helps identify infected clients.
  • Using up-to-date threat intelligence: Organizations should leverage up-to-date and curated threat intelligence across their entire security and DNS infrastructures to protect against malicious activity and DNS.



Edited by Alicia Young


SHARE THIS ARTICLE
Related Articles

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More

After Cisco/Broadsoft, Who's Next for M&A?

By: Doug Mohney    10/27/2017

Cisco's trail of acquisition tears over the decades includes the Flip video camera, Cerent, Scientific Atlantic, Linksys, and a couple of others. The …

Read More