How to detect WannaCry on your server

WannaCry (also named WannaCrypt) is the latest ransomware attack that has affected over 100 countries and crippled several businesses. The malware is similar to other ransomware in that it encrypts local files with 2048-bit RSA encryption and requires a $300 ransom payment to decrypt them. The fee doubles if the victim takes too much time.

This new attack uses leaked NSA code that exploits SMBv1 (Server Message Block), which makes it very efficient for attackers. The SMBv1 protocol is outdated, but many Windows network administrators leave it enabled by default. WannaCry also self-replicates to network shares, so it spreads quickly especially on local enterprise networks. So far, the authors of WannaCry have made $70,000 in ransom fees.

Aside from having all of your important files encrypted, you can detect WannaCry by monitoring network traffic. You could be hosting WannaCry on your servers without knowing it, but you can stop it from causing critical downtime on your network using monitoring software. WannaCry is the perfect example of why you should always have some type of monitoring system in place. It helps you detect and stop malicious network traffic.

If you are lucky enough to still have a running server, you can detect WannaCry before it encrypts your software. Here are some basic events that you can monitor:

• File create or rename events
• Using SMBv1 to access file shares
• DNS lookup events for a specific domain
• Outbound traffic on TCP port 445

Because WannaCry encrypts files, it creates new versions of your documents and stores them on the server’s drives. If you have auditing set up on your file shares, you should be able to review logs to detect the ransomware. WannaCry creates files with the following extensions:

• .wnry
• .wcry
• .wncry
• .wncryt

If you have these files on your system, chances are that the ransomware has already encrypted some of your documents. You can scan the entire network for these files to identify if it’s infected your systems.

SMBv1 should be disabled on your network, but it’s common to have it enabled by default. SMBv1 uses TCP port 445, so you can identify any strange network traffic on your routers. Log any attempts to connect to shares using port 445, and you can find out which machine could be infected. If you have a Windows server, you can also detect port 445 traffic using the internal Windows Firewall application.

WannaCry attempts to connect to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Security researchers believe that this domain is used as a “kill switch” should the attacker need the ransomware to stop working. A researcher registered the domain, which ultimately stopped the program from replicating.

You can detect any DNS queries for this domain either on your network or on your DNS servers if you host your own service. Your host provider might alert you if they find too many queries on their DNS servers from your local network, but you should actively look for these queries on your own.

The single best defence against WannaCry is patching your servers. This ransomware targets Windows servers, so updating your operating system and disabling SMBv1 is the suggested defense. Microsoft also released a signature for Windows Defender to stop WannaCry from running on your system.

Since WannaCry rapidly replicates, it’s imperative that you actively monitor for the ransomware. The faster you stop it, the less damage it can do to your system. You can’t decrypt files encrypted by WannaCry, so if you find that it’s infected your network, you could be paying the ransom to gain access to your files again.