>

Blog

WannaCry

May 16th, 2017

Overview/Background

It appears that the initial attack vector is an encrypted Zip as an email attachment. This contains JavaScript files that kicked off the WannaCry Ransomware.

There are also a number of other names for the basic attack which is called Wanna (i.e. WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r). It encrypts files and changes the extensions to: .wnry, .wcry, .wncry and .wncrypt.  The malware then presents a window to the user with a ransom demand.

The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service and propagating through networks using the SMBv1 protocol, which Windows computers use to share files and printers across local networks.

Microsoft addressed the issue in its MS17-010 bulletin.

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). It uses strong encryption on files such as documents, images, and videos.

Sophos issued a series of measures between the 12th and 14th May addressing this threat. Most other anti-MalWare companies had issued signatures by yesterday evening and are blocking current version of Wanna and its derivatives.

Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behaviour and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.
What to do

Please ensure all of your Windows environments have been updated as recommended by Microsoft.

 

The National Cyber Security Centre has published the following advice.

From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.

The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.

Home Users

Home users and small businesses can take the following steps to protect themselves:

  • Run Windows Update
  • Make sure your antivirus product is up to date and run a scan – if you don’t have one then install one of the free trial versions from a reputable vendor
  • If you have not done so before, this is a good time to think about backing important data up – you can’t be held to ransom if you’ve got the data somewhere else

Enterprise Administrators

The NCSC advise the following steps be performed in order to contain the propagation of this malware:

  • Deploy patch MS17-010:
  • A new patch has been made available for legacy platforms
  • If it is not possible to apply this patch, disable SMBv1.
  • and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]

If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.

Work done in the security research community has prevented a number of potential compromises. To benefit:

  • Ensure that your systems can resolve and connect on TCP 80 to the domains below.

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Unlike most malware infections, your IT department should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to *any* accessible server which will accept connections on TCP 80.

Antivirus vendors are increasingly becoming able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).

Other Recommendations:

  • Make sure policies at the perimeter of networks are blocking encrypted attachments
  • During this current period of heightened threat, release of emails with encrypted attachments should not be permitted
  • Verify the anti-malware solutions deployed throughout the organisation have a signature, or detection string, for WannaCry
  • Verify that ALL endpoints, including portable devices and servers, are covered with the anti-malware solution and signatures are up to date
  • If one device on the network is not protected, it could be the entry point and then the SMB vulnerability could be exploited across the network and compromise ALL other computers not patched
  • Warn all users of the risks of opening unexpected attachments, no matter how legitimate it might look
  • Given the publication of the exploit code recently, it was only a matter of time before WannaCry appeared to exploit the vulnerability. It is a fairly safe bet that there will be multiple new variants of WannaCry appearing in the short term. This will require new signature updates. This will be a continuous cycle  – an arms race…..
  • The initial vector of compromise will likely change as well – expect methods other than encrypted zip files as attack vectors
  • The following are the current known file extensions that are used when a file is encrypted. Where an organisation can alert on, or block the creation of, files of this type, please implement immediately. Microsoft File Server Resource Manager (FSRM) can apply these filters.
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

All existing recommendations to limit the threat of Ransomware still apply, especially the prohibition of use of privileged accounts to access email and Internet services. 

Having an effective back-up and Disaster Recovery strategy is a crucial defence along with educating Users, promptly applying patches and using professional anti-malware.

Leave a Reply

Your email address will not be published. Required fields are marked *