Notes on the WannaCry Ransomware Outbreak

This post will discuss some points related to detecting the WannaCry malware that’s causing problems in the last few days. There are lots of good resources about this that are updating frequently, but I may update this post with more details as new variants emerge.

For an earlier discussion of novel ransomware detection, see my post from last summer. (Note that my prediction that 2016 was “Peak Ransomware” did not seem to be correct!)

Detecting external SMB traffic

The big reason why WannaCry spread so quickly is that it uses a recently-discovered vulnerability in SMB, a ubiquitous protocol in Windows networks. Some variants of the malware scan for vulnerable endpoints on the Internet.

The Observable service will automatically alert for many inbound scans, but you can do queries for them as well. From the Observable web portal you can check for these scans with a query:

  • Go to Models > Session Traffic
  • Exclude private subnets in the “Connected IP” field by using the - sign in front of the CIDR ranges. For example, - excludes all 10.0.0.x addresses.
  • Specify port 139 and 445 in the “Port”

The filter will look like this:

The results will be shown after the query executes. The table is exportable to CSV. (Note that the screenshot below is just an example set of results; these IP addresses are not associated with the malware.)

Detecting connections to hidden services

The commonly analyzed variants of the malware use a Tor browser to communicate with its command and control servers. To do this, it must download a Tor client.

For sites that have an Observable sensor on-prem (and with DNS visibility), you can get alerts for the initial distribution:

  • Go to Settings > Alerts > Configure Watchlists
  • Under “IPs and Domains” add a new item
  • The “Resource” should be The other fields are customizable.

You can also add a watchlist for connections to Tor exit relays, which might be used in routing the traffic to the hidden service.

  • Go to Settings > Alerts > Configure Watchlists
  • Under “Third Party Watchlists” add a new item
  • The “Watchlist URL” should be
  • The other fields are customizable - I would recommend setting the “Threshold” to 2 and the “Bidirectional” field to reduce Type I errors.

When there are hits against the watchlist they will show as an alert. Some sample Observations are below.

This, of course, will alert for non-malicious Tor traffic also, so use with care.

Detecting the infamous “sandbox detector”

The malware attempts to determine whether its being examined in a sandbox environment by connecting to a randomly generated domain name. The registration of one such domain is what led one researcher to temporarily stop the infection.

For sites that have an Observable sensor on-prem (and with DNS visibility), you’ll automatically get alerts for spikes in connection attempts to these domains. You can also look at potential detections from the Observations > Types > Domain Generation Algorithm Observation:

We wrote about this capability a while back.

Detecting potentially vulnerable machines

Windows XP and Windows 2003 were vulnerable to the SMB infection (until the out-of-band patch that was released). These machines are detectable on the network through their ephemeral port selection strategy: they only use ports 1024-5000 when making TCP connections.

The procedure is a little less straightforward than finding the external SMB traffic above, but you can use the Observable Session Traffic query page to try to find such machines:

  • Pick a target subnet to search, and put it in the “IP” field (e.g.
  • Set the “Protocol” field to TCP
  • Set the “Port” field to 1024-5000
  • Run the query and export the results
  • Do a new query, but change the ports to 5001-65535
  • In a spreadsheet, subtract the IPs that use the higher port range. The ones that only use the lower port range are potentially legacy machines.

Experience Dynamic Endpoint Modeling on Your Own Network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial