To follow on from my previous post on how to create real-time alerts to detect WannaCry infected machines, this article describes how to run historical reports using Fastvue Sophos Reporterto find machines that have potentially been infected by WannaCry Ransomware.
The first and second variations of WannaCry ransomware access the following domains respectively:
You can therefore run a report on all machines that have accessed these domains using Fastvue Sophos Reporter.
Fastvue Reporter has three main reports, Overview Reports, User Overview Reports and Activity Reports. You can learn about the differences between the reports here. In this situation, we do not want to run a report on a specific user, so Overview Reports and Activity Reports are the most useful for identifying WannaCry Ransomware infections.
Let's start by running an Overview Report on the domains that WannaCry Ransomware accesses:
Go to Reports | Overview Report and click the Filter button.
Select the Filter: Site Domain 'Equal to' iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com AND Site Domain 'Equal to' ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
To avoid having to specify the filter again in the future, click the Save Filter button and save the filter as 'WannaCry Ransomware'
Select the Date Range you want to run the report on, and click Run Report (note, only data that has been imported into Fastvue Reporter will be reported on. See Settings | Data Storage for information on the dates available to report on)
The Overview Report will show you the Top Users that have accessed the WannaCry Ransomware kill switch domains, along with Source IPs, Sophos Actions and more.
Now let's run an Activity Report to get more details on exactly when the WannaCry Ransomware domains were accessed, and what the full URLs were.
Go to Reports | Activity Reports
The Filters interface is already shown as Activity Reports require you to enter at least one filter. As we saved the filter for WannaCry Ransomware when running the Overview Report above, click the Load Filter button and select the WannaCry Ransomware filter.
Delete the default and currently blank/invalid 'Origin Domain' filter
Again, select the date range you want to run the report on and click Run Report
The Activity Report shows each individual session to the WannaCry Ransomware kill switch domains, including the user, start time and end time. Click the rows in the report to expand each session to view the full URLs, timestamps, and Sophos Action.
Note: Note the URLs to the favicon.ico file above that occur a few seconds after the first hit to the domain. When testing, I was simply browsing to the WannaCry kill switch domains in my web browser. I wasn't actually infected with WannaCry Ransomware. If you see accesses to the favicon.ico file, this is a good indication that the clients are not actually infected, and were just browsing to the domains using a web browser as most web browsers automatically try to access the favicon.ico file.
Don't freak out if you see Sophos has allowed these URLs. This is actually the desired result, as the WannaCry Ransomware will install itself if it cannot access these URLs.
Whatever you do, do not block these domains on your Sophos UTM, XG or Web Appliance. Make sure these domains are whitelisted.
The reports described above only report on the domains that the first two variations of WannaCry Ransomware attempt to before the installation phase (see here for more information on how the WannaCry ransomware kill switch domains work).
However, there is already a new variation that does not make any requests to a kill switch domain, which the above reports will not pick up on. So please make sure all your machines are patched, and legacy Operating Systems are updated. See Microsoft's Customer Guidance for WannaCrypt Attacks.
As mentioned in the previous article, Fastvue Reporter does not block WannaCry Ransomware (or any malware) itself, but it does provide the visibility needed to effectively manage your Sophos UTM, XG or Web Appliance and ensure the security of your network and users.
To stay on top of any future incidents that may occur, we also recommend creating a real-time alert to detect WannaCry infected machines.
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
Reporting on WannaCry Ransomware Infected Machines
Create Real-time Alerts for WannaCry Ransomware Infected Machines (Sophos)