We’ve highlighted the Phantom Community Ransomware Playbook before on the Phantom Blog. It is a general purpose ransomware playbook that is adaptable to many different types of ransomware. Given the widespread impact of the WannaCry threat, however, we wanted to dedicate a blog entry to this particular threat and provide you with customized playbooks and other resources that will help you address the threat using automation and avoid consuming more of your analyst’s resources than necessary.
WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, WCry, WCrypt, and Wanna Decryptor) is a ransomware type of malware that targets Microsoft Windows systems. The ransomware is part of a large-scale and ongoing attack currently spreading worldwide. It propagates using methods like phishing emails and exploits against unpatched systems. While significant progress has been made to curtail propagation of the attack using a DNS sinkholing technique, it will likely continue to present itself for an extended period of time due to its worm-like characteristics.
We strongly recommend taking steps as outlined by Microsoft for preventing WannaCry infections. We are also offering Phantom Community members an extensible model for automating and orchestrating the prevention, hunting, investigation, and remediation workflows for WannaCry and other Ransomware threats like it using the Phantom Platform.
NOTE: Details that enhance an organization’s ability to detect, hunt, investigate, and remediate WannaCry ransomware may evolve, so be sure to maintain up-to-date intelligence for the threat using one or more of our threat intelligence partners.
Phantom Community Resources
Phantom has created four community playbooks that will immediately help in the management of the WannaCry outbreak. These playbooks are generally applicable to any malware scenario, however the Custom Lists that are used in the playbooks allow them to be tuned specifically to WannaCry.
Phantom Community Playbooks
- WannaCry Hunting (wannacry_hunting)
- WannaCry Investigate (wannacry_investigate)
- WannaCry Remediate (wannacry_remediate)
- WannaCry Prevent (wannacry_prevent)
Phantom Custom Lists
- WannaCry IOCs – File Names (wannacry_file_names)
- WannaCry IOCs – File Hashes (wannacry_hashes)
- WannaCry IOCs – IP Addresses (wannacry_ip_addrs)
- WannaCry IOCs – DNS Domains (wannacry_domains)
- WannaCry Infections – Local Endpoints (wannacry_infected_endpoints)
- WannaCry Remediations – Local Endpoints (wannacry_remediated_endpoints)
- WannaCry Patches – Local Endpoints (wannacry_patched_endpoints)
Note: The playbooks will use the custom list naming specified above (e.g. wannacry_hashes). If you do not have a custom list with that name already created on your Phantom platform, the playbook will automatically create one for you.
Playbook: WannaCry Hunting (wannacry_hunting)
- This playbook operates on these assets: Carbon Black and ServiceNow.
- The playbook uses IP Address and File Hash IOCs, stored in custom lists, as input parameters to the hunting actions.
- The results from the Carbon Black hunt file and list connections actions are checked against the wannacry_infected_endpoints custom list to determine if the infections are already known.
- Hunting results associated with new infections are passed into a formatting block in preparation for ticket creation.
- The playbook then creates a ticket in ServiceNow with all of the information pulled from investigative actions.
- The action results can also be viewed from Phantom’s Mission Control interface where further actions or playbooks may be executed.
Playbook: WannaCry Investigate (wannacry_investigate)
- This playbook operates on these assets: Carbon Black, ServiceNow, and VMware vSphere.
- The playbook operates against artifacts that have been ingested from a data source, signaling a security event.
- The first decision block of the playbook determines if the source addresses associated with the event are known infected endpoints by checking against the wannacry_infected_endpoints custom list.
- The second decision block of the playbook is responsible for determining if any of the artifacts ingested are present in the custom lists containing WannaCry IOCs.
- Meeting the second condition suggests the security event is part of the WannaCry outbreak.
- Investigative actions are executed using Carbon Black to obtain as much information about the system as possible.
- Affected endpoints are added to the wannacry_infected_endpoints custom list.
- If the system is a VM, a snapshot is taken using VMware vSphere for forensic and backup purposes.
- The information obtained is formatted appropriately for submission to a ticketing system or email.
- A ticket is created using ServiceNow that indicates a WannaCry event has been confirmed.
Playbook: WannaCry Remediate (wannacry_remediate)
- This playbook operates on these assets: Carbon Black, VMware vSphere, and the Phantom agent.
- To start, there is a check against the wannacry_remediated_endpoints custom list to ensure the endpoints in question have not already been remediated.
- The next decision block will determine if any of the artifacts ingested from the data source are present in the custom lists containing IOCs associated with the WannaCry outbreak.
- The endpoints related to all new matches are investigated further first by determining if the endpoint is a VM. Depending on whether the system is a VM or not, a series of remediation actions are taken.
- In either case, where the system is a VM or a bare metal server, processes associated with WannaCry are terminated, relevant file hashes are blocked, and relevant IPs are blocked. This is all done directly on the endpoint using Carbon Black and the Phantom Agent.
- In parallel to blocking actions above, the playbook will take action on the file system by reverting the VM (applicable to a VM) or deactivating the partition (applicable to a bare metal server).
- At the end of the playbook, the affected endpoints are added to the wannacry_remediated_endpoints custom list.
Playbook: WannaCry Prevent (wannacry_prevent)
- This playbook operates on these assets: Carbon Black, Phantom Agent, and Service Now.
- First, the playbook compares the list of target endpoints against the wannacry_patched_endpoints custom list to eliminate redundant processing.
- Next, the playbook obtains a list of all endpoints being managed by Carbon Black.
- The filter block is responsible identifying which systems are Windows platforms.
- For the identified Windows platforms, Carbon Black is used to identify the OS installation version. A filter block is used to identify the Windows systems that are not up to date and are therefore vulnerable to WannaCry.
- A ticket is created in ServiceNow containing a list of all of the endpoints that are not sufficiently patched.
- Windows update (wauctl.exe) is then remotely executed on all of the unpatched systems.
- After patching, there is a follow on check to ensure the hotfix was applied to the system.
- If the hotfix failed to apply, the ticket is updated to reflect which systems failed to update.
- Any affected systems are added to the wannacry_patched_endpoints custom list.
Custom List: WannaCry IOCs – File Names (wannacry_file_names)
File names include:
Please Read Me!.txt
This Custom List should contain the known file names associated with WannaCrypt. Be sure to regularly update this list with the latest threat intelligence. Microsoft provides a list of file names associated with the ransomware malware on their blog. You can access that article here.
Custom List:WannaCry IOCs – File Hashes (wannacry_hashes)
File hashes include:
This Custom List should contain the known file hash values associated with WannaCrypt. Be sure to regularly update this list with the latest threat intelligence. Microsoft provides a list of file hash values associated with the ransomware malware on their blog. You can access that article here.
Custom List: WannaCry IOCs – IP Addresses (wannacry_ip_addrs)
IP Addresses include:
This Custom List should contain the known IP Addresses associated with WannaCrypt, with most being Command and Control (CnC) servers. Be sure to regularly update this list with the latest threat intelligence. IBM X-Force has created a collection on their X-Force Exchange platform that includes IP Addresses associated with the ransomware malware. That collection can be found here.
Custom List:WannaCry IOCs – DNS Domains (wannacry_domains)
DNS Domains include:
This Custom List should contain the known DNS Domains associated with WannaCrypt. Be sure to regularly update this list with the latest threat intelligence. Microsoft provides DNS Domains associated with the ransomware malware on their blog. You can access that article here.
If you already have the Phantom Enterprise or Community Edition, these new playbooks will appear after the platform’s next sync with the Github repository Phantom Cyber / Playbooks. To manually synchronize the repository with Github, be sure to check the “Force Update” box when updating from source control in the Playbook listing page. If you need to download Phantom to get started, you can do that here.