sophos

Reporting on WannaCry Ransomware Infected Machines

by

Scott Glew

Scott Glew

To follow on from my previous post on how to create real-time alerts to detect WannaCry infected machines, this article describes how to run historical reports using Fastvue Sophos Reporterto find machines that have potentially been infected by WannaCry Ransomware.

The first and second variations of WannaCry ransomware access the following domains respectively:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

You can therefore run a report on all machines that have accessed these domains using Fastvue Sophos Reporter.

Fastvue Reporter has three main reports, Overview Reports, User Overview Reports and Activity Reports. You can learn about the differences between the reports here. In this situation, we do not want to run a report on a specific user, so Overview Reports and Activity Reports are the most useful for identifying WannaCry Ransomware infections.

Overview Reports on WannaCry Ransomware Infections

Let's start by running an Overview Report on the domains that WannaCry Ransomware accesses:

  1. Go to Reports | Overview Report and click the Filter button.

    WannaCry Reports - Filtering Overview Reports

  2. Select the Filter: Site Domain 'Equal to' iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com AND Site Domain 'Equal to' ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

    WannaCry Reports Filtering By Kill Switch Domains

  3. To avoid having to specify the filter again in the future, click the Save Filter button and save the filter as 'WannaCry Ransomware'

    WannaCry Reports - Saving Filter

  4. Select the Date Range you want to run the report on, and click Run Report (note, only data that has been imported into Fastvue Reporter will be reported on. See Settings | Data Storage for information on the dates available to report on)

The Overview Report will show you the Top Users that have accessed the WannaCry Ransomware kill switch domains, along with Source IPs, Sophos Actions and more.

WannaCry Report Overview Report - Top Users

WannaCry Report - Destination And Source IPs

Activity Reports on WannaCry Ransomware Infections

Now let's run an Activity Report to get more details on exactly when the WannaCry Ransomware domains were accessed, and what the full URLs were.

  1. Go to Reports | Activity Reports

  2. The Filters interface is already shown as Activity Reports require you to enter at least one filter. As we saved the filter for WannaCry Ransomware when running the Overview Report above, click the Load Filter button and select the WannaCry Ransomware filter.

  3. Delete the default and currently blank/invalid 'Origin Domain' filter

    WannaCry Reports - Loading Filter

  4. Again, select the date range you want to run the report on and click Run Report

The Activity Report shows each individual session to the WannaCry Ransomware kill switch domains, including the user, start time and end time. Click the rows in the report to expand each session to view the full URLs, timestamps, and Sophos Action.

WannaCry Reports - Activity Report

Note: Note the URLs to the favicon.ico file above that occur a few seconds after the first hit to the domain. When testing, I was simply browsing to the WannaCry kill switch domains in my web browser. I wasn't actually infected with WannaCry Ransomware. If you see accesses to the favicon.ico file, this is a good indication that the clients are not actually infected, and were just browsing to the domains using a web browser as most web browsers automatically try to access the favicon.ico file.

Whitelisting WannaCry Ransomware's Kill Switch Domains

Don't freak out if you see Sophos has allowed these URLs. This is actually the desired result, as the WannaCry Ransomware will install itself if it cannot access these URLs.

Whatever you do, do not block these domains on your Sophos UTM, XG or Web Appliance. Make sure these domains are whitelisted.

Limitations

The reports described above only report on the domains that the first two variations of WannaCry Ransomware attempt to before the installation phase (see here for more information on how the WannaCry ransomware kill switch domains work).

However, there is already a new variation that does not make any requests to a kill switch domain, which the above reports will not pick up on. So please make sure all your machines are patched, and legacy Operating Systems are updated. See Microsoft's Customer Guidance for WannaCrypt Attacks.

Summary

As mentioned in the previous article, Fastvue Reporter does not block WannaCry Ransomware (or any malware) itself, but it does provide the visibility needed to effectively manage your Sophos UTM, XG or Web Appliance and ensure the security of your network and users.

To stay on top of any future incidents that may occur, we also recommend creating a real-time alert to detect WannaCry infected machines.

Good luck!

Take Fastvue Reporter for a test drive

Download our FREE 14-day trial, or schedule a demo and we'll show you how it works.

  • Share this story
    facebook
    twitter
    linkedIn

Reporting on WannaCry Ransomware Infected Machines

This article describes how to use Fastvue Reporter for SonicWall to report on machines potentially infected with WannaCry Ransomware on your network.
SonicWall

Create Real-time Alerts for WannaCry Ransomware Infected Machines (Sophos)

Receive instant alerts for machines that are potentially infected with the WannaCry Ransomware using Fastvue Sophos Reporter.
Sophos