Akamai Diversity

The Akamai Blog

WannaCry: What We Know

On Friday, May 12, news agencies around the world reported that a new ransomware threat was spreading rapidly. Akamai's  incident response teams and researchers worked quickly to understand this new threat and how to mitigate it. This blog post is a summary of what Akamai knows at this point.

Remember that this is still an evolving threat and this information may change.

Akamai will update this post as we collect new information.

The Threat

WannaCry, a variant of WCry, is a ransomware attack. It has been reported to spread through several vectors, including through malicious email. However, the only confirmed mechanism so far is by scanning for IP addresses of vulnerable systems and attacking them. WannaCry looks for systems with port 445 exposed, on either the LAN or the public Internet, and exploits a vulnerability in the SMB protocol. Other reports indicate that an RDP vulnerability has also been used.

Like other ransomware attacks, the malware encrypts the victim's files and displays a message demanding payment in order to have your files decrypted. WannaCry specifically targets and infects unpatched Windows machines. This attack has been linked to the leaked NSA tool called ETERNALBLUE, a tool that has been adopted by the WannaCry authors. The vulnerability that ETERNALBLUE exploits was patched by Microsoft, as part of MS17-010 released in March 2017. We have also seen reports that another exploit, DOUBLEPULSAR, is also used by WannaCry. This exploit creates a backdoor on the system targeted by ETERNALBLUE and uses the backdoor to spread.  

Since WannaCry reuses one of three bitcoin addresses for payment, it's difficult for the attackers to know which victim has paid which ransom. This casts doubt on how the attackers will respond to a victim claiming to have paid.

How was Akamai affected?

Akamai has not been directly affected by WannaCry. In response to the revelation of the ShadowBroker vulnerabilities in April, Akamai conducted an audit of its Windows systems and used patching or service removal as appropriate.

Additionally, the bulk of the systems Akamai uses to serve end-users are fundamentally immune to ransomware: they are designed to be wiped and reinstalled with some frequency. There is no unique data on them to be ransomed. This is a side-effect of having built processes for unattended maintenance of over a quarter of a million servers around the globe.

How can I protect myself?

First and foremost: patch your systems as soon as possible. While patching, block incoming TCP connections on port 445. There is also a mechanism for disabling the currently known variants of the malware: a kill-switch domain.

Several WannaCry variants have a kill-switch embedded in the code. They make an HTTP request to a preconfigured domain and if they get a response, they terminate themselves. Each variant may use a different kill-switch domain. You should not block access to any of these domains or you will have disabled the kill-switch and allowed the malware to continue to infect your systems and scan for other vulnerable systems on the Internet.

Reported kill-switch domains include:

  • www DOT iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea DOT com

  • www DOT ifferfsodp9ifjaposdfjhgosurijfaewrwergwea DOT com

  • www DOT iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea DOT com

The last of these domains is unregisterable. If you operate your own DNS infrastructure, you can configure it to point that domain to any working web server to activate the kill-switch. These domains have been changed several times since the malware first launched. Expect new domains to be added over time.

How can Akamai help?

Several Akamai products are able to assist in stopping the spread of the attacks by activating the kill-switch or intercepting the spread of the worm directly.

If you are already using our Prolexic services and want an additional layer of protection while you patch, the simplest configuration change is to filter traffic targeting port 445 (SMB). This block will work for any IP addresses you are currently routing through Prolexic services. Usage of Prolexic services is only part of a holistic mitigation solution which should include patching to halt the spread of the Wannacry worm.

You should not block access to any of the kill-switch domains or you will have disabled the kill-switch and reactivated the malware.

Decrypter Update

Security researchers have discovered two mechanisms that can recover files encrypted by WannaCry. The first, wanakiwi, relies on your computer not being restarted/rebooted since the encryption began, which is less likely as time goes on. The second technique is to use a standard file recovery utility. This technique relies on the fact that WannaCry reportedly encrypts a copy of each file and then deletes the original. If the space on the storage device has not been overwritten, it may be possible to "undelete" the original file without having to do any decryption.