As the investigation of the WannaCry ransomware keeps evolving, more evidence is revealed and more theories are suggested. While analyzing the DNS and HTTP traffic of domains and clients involved in WannaCry we made several useful discoveries, which may shed some additional light on this cybercrime.
How it all started
Our first evidence for WannaCry was found at 7:44am UTC, when a client from an ISP in Southeast Asia hit WannaCry’s kill-switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com). In the following hours we identified thousands of additional WannaCry-infected clients, from a wide variety of countries and ISPs, trying to communicate with the domain.
Overall we saw the WannaCry infection starting in Asia, moving to South America, and only then, almost 2 hours later, to Continental Europe and UK (and the US a little while later). The public announcement of the attack on NHS came 7 hours later (around 15:00 UTC), at a time when we already saw infections appear in over 60% of the ISPs in Latin America and Asia (including Southeast Asia, Australia and New Zealand), and in over 30% of the ISPs in Europe.
Worldwide distribution over time
The distribution of the WannaCry infection can be seen here:
Figure 1: Distribution of WannaCry infected devices per minute (sample based)
As expected, in the early hours of the attack we’ve seen a higher number of victims being hit, a number that went down as people and organizations became aware of the threat and took preventive steps. In addition, the kill switch domain was registered by 15:08 UTC, and contributed to the malware’s connection-check sub-routine to fail.
Beyond the Numbers
Beyond understanding the propagation sequence of the attack, we were able to use our Domain2Vec algorithm to categorize and classify the behaviors of some of WannaCry’s victims. The data processed by Domain2Vec obfuscated, yet the algorithm can determine the category of domains queried by the victim devices.
The graph below shows the clusters identified by the algorithm, where each ‘behavioral group’ is distinct by color:
In terms of common group behaviors, the top 3 groups identified by the algorithm are:
- Gamers: devices that were involved in online multi-player games were seen more likely to get infected with WannaCry. This may have to do with usage of unlicensed (and therefore unpatched) versions of Windows machines. At this time the initial entry mechanism of WannaCry to a network is not completely clear, yet it is very clear that unpatched Windows machines on a network are the targets.
- Teamviewer users: on many of the WannaCry infected devices we saw TeamViewer software activity. One of the explanations for this behavior is that devices running TeamViewer must enable incoming connections, and the software in general is very similar to RDP (the WannaCry worm propagation method).
- Previously infected: for many of the devices infected with WannaCry we’ve already seen previous infections of different types. Generally speaking, these devices had past communication with various botnet command and control servers, and might have already had a remote access trojan. In general, we’ve seen this phenomenon many times in our research – one breach makes you somewhat more likely to get another breach.
We hope some of these findings help in the joint battle against ransomware. If you have any questions, or want to share your battlefront notes, please contact us.