At the first signs of what was to become a global ransomware attack on May 12, the endpoint detection and response (EDR) team at Tanium sprang into action to help our customers. Here, we provide guidance on how to use Tanium to quickly discover and mitigate the issues.
Corporations worldwide are being affected by a widespread ransomware attack which rapidly propagated and reached critical mass on May 12. The scope of the attack initially involved more than a dozen healthcare organizations in Europe, as reported by the U.K.’s National Health Service. As the day unfolded, however, it became clear the attack is, in fact, global. By May 15, the attack had spread to 150 countries and approximately 200,000 machines.
Initial indications point to a new variant of the “WannaCry” strain of ransomware, also known as “wcry” (and alternatively spelled WanaCry by some media outlets). The following summary provides guidance on using Tanium to mitigate and respond to this malware.
Mitigation: Disabling SMBv1
One of the infection and propagation vectors associated with this family of malware leverages a vulnerability in Microsoft SMBv1, documented in MS17-010, published on March 14, 2017. Tanium customers with Patch can verify their Microsoft-supported endpoints are protected from this issue. If any endpoints are not protected, customers can rapidly deploy Microsoft’s fix using Tanium’s efficient architecture.
Tanium customers with Patch can easily find vulnerable systems using the simple questions below. (Note: To view the complete syntax, use the scroll bar in the text boxes below.)
Patch 1.x and Windows Security Patch Customers: Get Available Patches matching "(.*4012598.*|.*4012212.*|.*4012215.*|.*4012213.*|.*4012216.*|.*4012214.*|.*4012217.*|.*4012606.*|.*4013198.*|.*4013429.*)" from all machines
Patch 2.x Customers: Get Applicable Patches matching "(.*4012598.*|.*4012212.*|.*4012215.*|.*4012213.*|.*4012216.*|.*4012214.*|.*4012217.*|.*4012606.*|.*4013198.*|.*4013429.*)" from all machines
However, many organizations that have been unable to patch, or were infected through other vectors, may need to pursue other mitigation strategies.
In addition to the patch for this vulnerability, Microsoft also provides mitigation guidance which includes disabling the SMBv1 protocol. SMBv1 is a legacy protocol which has been subject to a wide range of vulnerabilities and exploits. Disabling it can reduce attack surface beyond this specific malware outbreak. Microsoft has set up a web page to provide specific guidance on disabling SMBv1. In summary, this requires changing the following registry key and value key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value: SMB1 Data: REG_DWORD: 0 = Disabled
After doing so, systems must be rebooted for this change to take effect.
As Microsoft notes, SMB is more than 30 years old but may still be utilized in environments with Windows XP / 2003 or certain legacy applications or devices. Unfortunately, versions of Windows prior to 10 / Server 2016 provide no easy mechanism to audit for the usage of this protocol version.
Disabling SMBv1 with Tanium
Tanium users can deploy actions to disable SMBv1 via a registry change, and to subsequently reboot systems. Customers are encouraged to work with their Technical Account Managers for assistance with action targeting and managing an enterprise-wide change of this scale.
Here are the steps you need to follow:
(1) Deploy package “Registry – Set Value” to targeted systems, using the registry key/value/data cited above as parameters:
To assess whether systems already have SMBv1 disabled, or to verify and monitor deployment of the corrective action as it happens, the following sensor can be used:
Registry Value Data[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, SMB1]
(2) Once the registry change has been made, deploy package “Reboot Windows Machine” as shown below. You can use “Distribute Over Time” and the “Random Reboot Delay” options to reduce action concurrency if targeting a large number of hosts.
Other Investigation and Response Steps
Many ransomware variants and other forms of self-propagating malware utilize open network shares with insecure permissions to spread themselves. The Tanium sensor Open Share Details can help identify unwanted or susceptible shares. However, note that share permissions have no affect on the aforementioned SMBv1 exploit.
Tanium users with the Incident Response and Trace modules can run ad-hoc queries for artifacts of this most recent variant of the “Wcry” ransomware in the following ways:
- Search files at-rest on disk for the renamed document extensions created by the malware, “.wcry” and “.wncry”, using the Index Query File Details sensor (requires that Tanium Index be deployed).
- Search historical file operations for files that have been renamed to include the extensions “.wncry” or “.wcry”, using the Trace File Operations sensor (requires that Tanium Trace be deployed). Additional details:
- Check the box to use regular expression search
- File Path: .*\.(wncry|wcry)$
- File Operation: (CreateNewFile|RenamePath|Write)
- Search historical process execution or live running processes for file names associated with the “WCry” malware using Trace Executed Processes or Running Processes with MD5 Hash sensors. As of this writing, known malware file names include: “C:\Windows\mssecsvc.exe” and “C:\WINDOWS\tasksche.exe”. In environments without Trace or Index previously deployed, Tanium provides IR sensors that search native OS sources of evidence, such as Shim Cache and Prefetch, that may also contain artifacts of the malware.
- Tanium customers with IOC Detect can run at-scale searches for the file and network-based indicators related to this malware. IOC Detect applies indicators to live artifacts, historical data via Trace, and at-rest data via Index.As of this writing AlienVault OTX contains the following IOCs for “WCry” https://otx.alienvault.com/pulse/5915db384da2585b4feaf2f6/ and other private information-sharing communities have been actively distributing alerts with additional indicators in OpenIOC and STIX/CyBOX formats.
- Tanium customers with Protect can enforce application blacklisting rules that block the execution of “tasksche.exe” and “mssecsvc.exe” by name & path.
(Editor’s Note: This blog post was updated on May 15 at 3:00 pm PT to reflect new information about the spread of the attack and to correct syntax on the questions recommended for customers of Tanium Patch.)
Get our latest software updates and support announcements:
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.