The story of WannaCry

If you are watching the news, by now you might know the massive ransomware campaign shaking the internet these days. Yes, it is known as WannaCry, WCry or Wanna Decrypt. Lots of rumors are spreading all over the internet. We have dug all the available sources since May 12, 2017 (initial reports beginning around 4:00 AM EDT, May 12, 2017) to post the whole story about this ransomware attack. It requests a ransom of 1781 bitcoins, roughly $300 U.S. It was very successful as it used SMB vulnerability to spread inside networks. However, the vulnerability was patched by Microsoft in March for supported versions. The exploit known as ETERNALBLUE was released in April as a part of a leak of NSA tools. There are many variants have been seen spreading last Saturday and Sunday. Europol warned WannaCry has hit over 200,000 systems in 150 countries.

According to a tweet from Jakub Kroustek, a malware researcher with security firm Avast, the company’s software has detected more than 100,000 instances of the WannaCry ransomware.

“The whole world is facing an escalating threat” Europol chief Rob Wainwright said to Britain’s ITV, warning people that the numbers are going up and the users should ensure the security of the systems is up to date.

He further said they are running around 200 global operations against cyber crime each year, but they’ve never seen anything like this, as quoted by BBC.

Several large organizations are known to be affected. There was no obvious targeting found. The organizations are from various countries worldwide and appear not to be related. While everyone’s attention is on large enterprises, small business users and home users may be affected as well. It is estimated over 200,000 victims according to various anti-virus vendors.

A total of 16 U.K. organizations has been affected including the National Health Service (NHS).Some computers of Spanish telecom giant Telefónica was infected but fortunately did not affect clients or services. Portugal Telecom, Russia’s MegaFon and delivery company FedEx were infected. Users from Japan, Turkey, and the Philippines were also affected according to the information sources.

The below map is showing the WannaCry ransomware infection in just 24 hours of time.

 

Kill-Switches for WannaCry has been discovered. This ransomware attacks the availability, confidentiality and the integrity of the information. Victims will lose access to the files encrypted by the malware. Nobody can be sure about the recovery even after the ransom is paid. It does install a backdoor that could use by the bad guys to obtain and leak data from affected computers. But ransomware does not itself exfiltrate data. WCry does not alter data. It only encrypts data. But who knows, the backdoor could be used by other hackers to cause additional damage. Now everyone’s eyes on WCry. It has been the main topic. All the hackers in the wild are paying their attention to this incident and they might try to use the situation to launch their attacks. First, there was only one version of the ransomware then another group of hackers released the version two by reverse engineering the original ransomware and adding some other features.Version-01 (original WannaCry) samples are available for anyone to get downloaded and do research while version-02(WannaCry 2.0) sample was removed from the sites for some reasons. In the future, we can expect more ransomware attacks from the copycat hackers. For now, there is no public reports from the victims who paid the ransom. But it is reported that about a hundred victims paid the ransom so far. The attackers transmit the unlock code in a manual process that requires the victim to contact the person behind the ransomware to transmit an unlock code. In the future, due to the law enforcement and public attention the attackers may disappear suddenly without releasing the unlock code to the victims who paid the ransom.

Ways to identify the affected systems:

  • The infected systems will try to connect to a specific domain.
  • Systems will start scanning internally for port 445.
  • The encrypted files will have the “.wncry” extension.
  • Ransom note will be displayed.
  • Infected systems might reach out to sites for crypto keys.
  • Now, most of the Anti-Malware has signatures for WannaCry.

Ransom Message:

Ransom Note Desktop Background:

 

 

Guidance to clean up infected systems:

  • Now the Anti-Malware vendors are offering the removal tools.
  • Removal tools will remove the malware, but will not recover the encrypted files.
  • The ransomware will install a backdoor. That could be used by other bad guys to compromise the system further.
  • According to the incident news, all the files with .wncry extension are not encrypted. Some files may still be readable. Don’t let bad guys who are seeking to get the advantages from the situation to fool you!

Ways to prevent the infection:

  • The newer Windows version can be patched with MS17-010 March update.
  • On 12th, Friday Microsoft released a patch for older systems like Windows XP and Windows 2003.
  • Get it confirmed that the patch is installed in the systems.
  • Segment the network in your cooperations. Block port 445 to spread internally.
  • Disable SMBv1.
  • Implement internal “kill-switch” domains and do not block them.
  • Set registry key.

Additionally,

  • Have a robust backup strategy.
  • Lockdown machines.
  • Don’t open suspicious email or attachments
  • Use a decent anti-virus program.

How the Kill-Switch works:

This ransomware will not run the payload if it can access a specific website(sink hole).This specific website (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) has been registered to stop the spread of the malware. But your proxies may prevent the connection still leaving a possibility to get the attack. Therefore an internal website would be more reliable and allows detecting the infections.

A registry entry was found that would prevent the infection. A tool was released to set the entry as well.

The future versions will more likely remove these kill-switches, change the name of the registry entry, or use other attack vectors such as phishing, social engineering etc.

You should know that the kill-switch would not prevent it in the following situations:

  • If you receive the malware via an email, a malicious torrent, or other vectors instead of SMB protocol.
  • If your ISP or antivirus or firewall block access to the sinkhole domain.
  • If your system requires a proxy to access the internet.
  • If someone does a large -scale DDoS attacks and make the sinkhole domain inaccessible for all.
  • WannaCry 2.0 Ransomware with no kill-switch is on the hunt.

It is not over. The story is still updating. Keep your eyes open!

 

References:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

https://cqureacademy.com/blog/malware/troubleshoot-post-ransomware-situation

http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html?m=1

https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

https://www.saotn.org/disable-smbv1-windows-10-windows-server/

http://www.readme.lk/wannacry-ransomware/

https://www.us-cert.gov/ncas/alerts/TA17-132A

https://krebsonsecurity.com/2017/05/microsoft-issues-wanacrypt-patch-for-windows-8-xp/

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

http://thehackernews.com/2017/05/wannacry-ransomware-windows.html

https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

https://isc.sans.edu/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: