Attack Variants First Variant: .WCRY
Second Variant: .WCRY (+ .WCRYT for temp)
Third Variant: .WNCRY (+ .WNCRYT for temp) Who does it affect Any Windows computer without Windows Patch MS17-010. What to do Apply patch Microsoft MS17-010 immediately The background Current analysis says “WCry” Ransomware sometimes also know as WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r is version 3.0 is being spread very heavily in last 2 days, and I am sure, we will be seeing a lot of victims in the coming days. This ransomware displays a lock screen before the victim, encrypts the files and asks for ransom. The screen can only be decrypted after paying the ransom of 300 to 600 USD.
It started with the group “The Shadow Brokers (THB)”, which first appeared in the early summer 2016 and released a set of windows-related exploits in April 14 2017 on auction.
Out of that bucket, an exploit via SMB (Server Message Block) for Windows hosts (Windows 8 & Windows Server 2012), was published under the name " EternalBlue".
Microsoft and Cisco released fixes for “"ETERNALBLUE" in the month of March 17 as a critical security update- Microsoft Security Bulletin MS17-010 and snort rule under SID 41978 respectively. However, it appears many organizations have not yet installed the patch.
Therefore, it is important to consider that all Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit if left unpatched.
Sources also mentioned that 'The Shadow Brokers' used twitter accounts to provide dumps access (exploits/tools) for targeting the SWIFT banking system of several banks across the world. The list of all files contained in the dump are available at Git here.
WCry attack used remote code execution through the very same bug in Microsoft made available via “EternalBlue” exploit.
WannaCry is getting too much interest by the security professional across globe, as it a piece of unique work- one single package containing Ransomware, Malware and a Wrom all together. An attacked may choose different vectors to establish the attack. It may start with a simple spam email or direct exploit on the target IP address or Servers.
In both the scenarios, attackers uses "mssecsvc.exe" files to drops and executes its payload "tasksche.exe". This very exe tests the kill switch domains making sure and a new mssecsvc2.0 service is created making sure malware persistance.
Further tasksche.exe service executes "mssecsvc.exe" from a alternate entry than the initial execution one. Service checks the IP address of the victim machine and attempts to connect each host/IP address in the same subnet on TCP Port 445 (SMB). Upon malware successful connection to the victim machines, a connection is initiated and payload is transferred.
The malware uses "EtenralBlue" exploits on SMB vulnerability (already addressed by Microsoft- MS17-010) and try to implant a backdoor "DOUBLEPULSAR". Further, this very backdoor is used in execution of WANNACRY on the new target victim system.
How does it start Assuming "WCry” Ransomware starts with a spam email, which includes malicious link or a malicious document. Upon clicked or opened by the target user, the malware holds the user’s computer as hostage until the ransom is paid.
Malware encrypts all files of the system with a private encryption key, and the key is only made available after the ransom is paid.
Ransomware usually requests for 300 or 600 U.S. dollars in Bitcoin (cryptocurrency) along with the wallet.
Ransomware also informs the target victim using Read Me file.
Till here, it was level 1 only. Level 2 starts when a system is part of an enterprise wide network. Eventually, all systems left unpatched for MS17-010 patch become vulnerable and get infected.
Few of the important properties of malware files used by WCry are of the version info stolen from random Microsoft Windows 7 system tools.
For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.
Malware Target Files Extensions The file extensions that the malware is targeting contain certain clusters of formats including:
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Less common and nation-specific office formats (.sxw, .odt, .hwp).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
Most Effected Countries Among the worst-hit from this massive ransomware are National Health Services (16 medical Institutions) in England and Scotland. The operations of FedEx, a global delivery company, Spanish multinational Telefonica is also affected as the cyber-attack wreaked havoc.
Russia’s interior ministry showed promptness in dealing with cyber-attack, and saved thousands of its computers and sensitive data from malware attack. India is also among the hit hard list as a wide population still uses Windows XP platform.
China is yet to make an official comment over the incidences of virus-infected computers and damages caused due to the latest cyber threat.
How to Mitigate Risk
- Install the official patch (MS17-010) from Microsoft to close the vulnerability. List of patches for rest of the OS are available at Microsoft releasing security patches.
- Scan all systems. After detecting the malware attack as MEM: Trojan.Win64.EquationDrug.gen, reboot the system.
- Isolate infected devices immediately by removing them from the network as soon as possible to prevent ransomware from spreading to the network or shared drive
- Power off affected devices that have not been completely corrupted.