What is the Wannacry (WCRY) ransomware?
Trend Micro is closely monitoring the latest ransomware outbreak that has affected several organizations around the world. This ransomware attack is referred to as WCRY or WannaCry. This ransomware is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “Eternalblue”) associated with the Shadow Brokers tools release. After a computer is infected, WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database files, multimedia and archive files, as well as Microsoft Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given seven days before the affected files are deleted.
How does it infect computers?
WannaCry leverages CVE-2017-0144, a vulnerability in Microsoft Server Message Block 1.0 (SMBv1), to infect computers. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Although, Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017, unpatched computers are easily infected. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. Once one computer on a network is infected, it will place the whole network at risk.
We are closely monitoring similar threats - such as the recently reported Uiwix ransomware and Monero-Mining malware - that appear to be exploiting the same vulnerability mentioned above - and are continually updating our detections with these new samples (e.g. Ransom_UIWIX.A, TROJ_COINMINER.WN). Please visit our new Security Intelligence blog entry for more information on these new threats.
WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days it claims the encrypted files will be deleted. However Symantec has not found any code within the ransomware which would cause files to be deleted.
A ransomware variant known as WanaCry/WanaCrypt0r has spread on a massive scale around the world since the 12th of May 2017. For more information about the context with regards to this WanaCry variant, see also our earlier blog. The section below outlines the frequently asked questions and corresponding answers.
How To Protect Yourself From The Global WanaCry Ransomware Attack
A ransomware variant called WanaCrypt0r 2.0, also known as WanaCry or WCry, has locked up over 75,000 computers in 99 countries in the last 24 hours according to cyber security company Avast. The National Health Service in the UK, Spanish telecommunications company Telefónica, and FedEx in the US are among the tens of thousands of victims. Here’s how you can protect yourself.
Wanacry was first identified in February and Microsoft released a patch in March. If you have not updated your Windows software recently, do it now. The current versions of Windows 10 and the build schedules for each version can be found here. You can find the Windows version and build that is running on your system by going to Settings>System>About.
If you need to update to protect against WanaCry, Microsoft has gathered patches for all currently supported versions of Windows which can be found here. They have also taken the highly unusual step of patching legacy versions of Windows that have been unsupported for as long as three years. If you are running one of these versions of Windows you might want to give serious consideration to upgrading to the current version. In the meantime, you can thank Microsoft for reaching out to help you and download the patch.
If you have up-to-date malware protection software from a reputable cybersecurity company such as Avast installed on your computer, you are probably protected. Check your cybersecurity company’s website to make sure you are. WanaCry is a world-wide, runaway threat. If your cybersecurity company’s website has nothing to say about it, don’t assume you are protected. Make sure you are running the current version of Windows.
What you need to know about the WannaCry Ransomware
The WannaCry ransomware struck across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks.
Symantec has uncovered two possible links that loosely tie the WannaCry ransomware attack and the Lazarus group:
Symantec has uncovered two possible links that loosely tie the WannaCry ransomware attack and the Lazarus group:
Co-occurrence of known Lazarus tools and WannaCry ransomware: Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed.
Shared code: As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants.
While these findings do not indicate a definitive link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds.
A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network by exploiting critical vulnerabilities in Windows computers, which were patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue,” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.
Am I protected from the WannaCry ransomware?
Symantec Endpoint Protection (SEP) and Norton have proactively blocked any attempt to exploit the vulnerabilities used by WannaCry, meaning customers were fully protected before WannaCry first appeared. SEP14 Advanced Machine Learning proactively blocked all WannaCry infections on day zero, without any updates.
The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.
Symantec and Norton customers are automatically protected against WannaCry using a combination of technologies. Proactive protection was provided by:
IPS network-based protection
SONAR behavior detection technology
Advanced Machine Learning
Intelligent Threat Cloud
Customers should have these technologies enabled for full proactive protection. SEP customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by Advanced Machine Learning signatures.
Can I recover the encrypted files or should I pay the ransom?Decryption of encrypted files is not possible at present but Symantec researchers continue to investigate the possibility. See this article for further details. If you have backup copies of affected files, you may be able to restore them. Symantec does not recommend paying the ransom.
In some cases, files may be recovered without backups. Files saved on the Desktop,
The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.
Symantec and Norton customers are automatically protected against WannaCry using a combination of technologies. Proactive protection was provided by:
IPS network-based protection
SONAR behavior detection technology
Advanced Machine Learning
Intelligent Threat Cloud
Customers should have these technologies enabled for full proactive protection. SEP customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by Advanced Machine Learning signatures.
Can I recover the encrypted files or should I pay the ransom?Decryption of encrypted files is not possible at present but Symantec researchers continue to investigate the possibility. See this article for further details. If you have backup copies of affected files, you may be able to restore them. Symantec does not recommend paying the ransom.
In some cases, files may be recovered without backups. Files saved on the Desktop,
My Documents, or on a removable drive are encrypted and their original copies are wiped. These are not recoverable. Files stored elsewhere on a computer are encrypted and their original copies are simply deleted. This means they could be recovered using an undelete tool.
When did WannaCry appear and how quickly did it spread?
When did WannaCry appear and how quickly did it spread?
WannaCry first appeared on Friday, May 12. Symantec saw a dramatic upsurge in the number of attempts to exploit the Windows vulnerabilities used by WannaCry from approximately 8:00 GMT onwards. The number of exploit attempts blocked by Symantec dropped slightly on Saturday and Sunday but remained quite high. Exploit numbers increased on Monday, presumably as people returned to work after the weekend.
Who is impacted?
Any unpatched Windows computer is potentially susceptible to WannaCry. Organizations are particularly at risk because of its ability to spread across networks and a number of organizations globally have been affected, the majority of which are in Europe. However individuals can also be affected.
Is this a targeted attack?Current WannaCry activity is not believed to be part of a targeted attack.
Why is it causing so many problems for organizations?
WannaCry has the ability to spread itself within corporate networks without user interaction, by exploiting known vulnerabilities in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.
How is WannaCry spread?
While WannaCry can spread itself across an organization’s networks by exploiting a vulnerability, the initial means of infection—how the first computer in an organization is infected—remains unconfirmed. Symantec has seen some cases of WannaCry being hosted on malicious websites, but these appear to be copycat attacks, unrelated to the original attacks.
How does the ransom payment work?
The WannaCry attackers request that the ransom be paid using Bitcoins. WannacCy generates a unique Bitcoin wallet address for each infected computer, however due to a race condition bug this code does not execute correctly. WannaCry then defaults to three hardcoded Bitcoin addresses for payment. The attackers are unable to identify which victims have paid using the hardcoded addresses, meaning that victims are unlikely to get their files decrypted.
The WannaCry attackers subsequently released a new version of the malware that corrected this flaw, however this version was not as successful as the original.
On May 18, a new notice was displayed on infected computers informing victims that files will be decrypted if the ransom is paid.
What are the details on Symantec's protection?Network-based protection
Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:
OS Attack: Microsoft SMB MS17-010 Disclosure Attempt (released May 2, 2017)
Attack: Shellcode Download Activity (released April 24, 2017)
What are best practices for protecting against ransomware?
New ransom ware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t delete them.
Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.
WannaCry/Wcry Ransomware: How to Defend against It
An unprecedented wave of ransomware infections is hitting organizations in all industries around the world. The culprit: the WannaCry/WCry ransomware (detected by Trend Micro as RANSOM_WANA.A and RANSOM_WCRY.I).
Trend Micro has been tracking WannaCry since its emergence in the wild in April 2017. Trend Micro™ XGen™ security has been protecting users from this and other threats using techniques like behavioral analysis and high fidelity machine learning. Here’s what users and enterprises need to know about this widespread threat and what can be done to defend against it.
What happened?
Several firms in Europe were the first to report having their mission-critical Windows systems locked, showing a ransom note. This quickly developed into one of the most widespread ransomware outbreaks currently affecting a large number of organizations around the world. Some affected organizations had to take their IT infrastructure offline, with victims in the healthcare industry experiencing delayed operations and forced to turn away patients until processes could be re-established.
Who is affected?
This variant of the WannaCry ransomware attacks older Windows-based systems, and is leaving a trail of significant damage in its wake. Based on Trend Micro’s initial telemetry, Europe has the highest detections for the WannaCry ransomware. The Middle East, Japan, and several countries in the Asia Pacific (APAC) region showing substantial infection rates as well.
WannaCry’s infections were seen affecting various enterprises, including those in healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.
What does WannaCry ransomware do?
WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.
WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.
What makes WannaCry’s impact pervasive is its capability to propagate.
Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.
What can you do?
WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.
[Infographic: A multilayered defense against ransomware]
Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:
· The ransomware exploits a vulnerability in SMB server. Patching is critical for defending against attacks that exploit security flaws. A patch for this issue is available for Windows systems, including those no longer supported by Microsoft. When organizations can’t patch directly, using a virtual patch can help mitigate the threat
· Deploying firewalls and detection and intrusion prevention systems can help reduce the spread of this threat. A security system that can proactively monitor attacks in the network also helps stops these threats
· Aside from using an exploit to spread, WannaCry reportedly also uses spam as entry point. Identifying red flags on socially engineered spam emails that contain system exploits helps. IT and system administrators should deploy security mechanisms that can protect endpoints from email-based malware· WannaCry drops several malicious components in the system to conduct its encryption routine. Application control based on a whitelist can prevent unwanted and unknown applications from executing. Behavior monitoring can block unusual modifications to the system. Ransomware uses a number of techniques to infect a system; defenders should do the same to protect their systems
· WannaCry encrypts files stored on local systems and network shares. Implementing data categorization helps mitigate any damage incurred from a breach or attack by protecting critical data in case they are exposed
· Network segmentation can also help prevent the spread of this threat internally. Good network design can help contain the spread of this infection and reduce its impact on organizations
· Disable the SMB protocol on systems that do not require it. Running unneeded services gives more ways for an attacker to find an exploitable vulnerability
What steps do I need to take to reduce the risk of infection?Implement the best practices
· Patch and update your systems, or consider a virtual patching solution.
· Enable your firewalls as well as intrusion detection and prevention systems.
· Proactively monitor and validate traffic going in and out of the network.
· Implement security mechanisms for other points of entry attackers can use, such as email and websites.
· Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
· Employ data categorization and network segmentation to mitigate further exposure and damage to data.
· Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.· Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010. FAQ on the WanaCry ransomware outbreak
Q: What makes this ransomware variant so dangerous?
A: This variant of WanaCry posesses the capability to spread itself as a so-called worm, beside the fact that the ransomware starts encrypting possible important data on systems. This means that the initial infection in a network is possibly not only system that could be impacted, but potentialy a large amount of systems in the internal network as well. This might result in your business processes coming to a grinding halt.
Q: What was the initial infection vector for the ransomware outbreak?
A: As there is no evidence that the initial infection vector is email, after 72 hours of research by the security community, Fox-IT believes the infection vector is more likely to be vulnerable machines directly exposing SMB to the internet.
At the moment it appears that the only confirmed infection vector is the usage of the ETERNALBLUE SMB exploit.
At the moment it appears that the only confirmed infection vector is the usage of the ETERNALBLUE SMB exploit.
Q: Which versions of Windows are vulnerable?
A: The SMB exploit works on all versions of Windows, which have not yet been patched by MS17-010 on the 14th of March 2017, except for Windows 10 and Windows Server 2016, as they are already protected in the default configuration.
Q: What about Windows XP?
A: Microsoft has also released a patch for the unsupported operating systems Windows XP and Windows Server 2003.
Q: Are we safe from WanaCry if we apply the security update to Windows Server 2003?
A: Yes, but the patch KB4012598 applies specifically to this SMB exploit, known as ETERNALBLUE. However, similar NSA exploits, leaked by the Shadow Brokers, for vulnerabilities in Windows Server 2003 and Windows XP were published that lead to remote code execution (RCE). This includes the ERRATICGOPHER exploit for SMBv1 and the ESTEEMAUDIT exploit for RDP, which could be repurposed by malicious actors to create the next ransomworm.
Q: How many endpoints are affected?
A: The sinkhole statistics currently show a total of 160,000+ infections, this amount is still rapidly increasing.
Q: Should we block the ‘kill-switch’ domain on our firewall/proxy?
A: No you should not. When the malware is capable of reaching the ‘kill-switch’ domain it will not further spread the malware. Please note that when you block this domain, it will in fact continue spreading both internal and external.
Q: Is the kill switch domain being monitored (counting infections, origin infections)?
A: Yes the sinkhole statistics can be found here.
Q: Do we expect new attacks with the same Modus Operandi (MO)?
A: This is very likely, as this is a lucrative way of earning money for criminals. It is unknown at what moment in time a new attack will start and we do not have indications at this point in time that another campaign is scheduled.
Q: Where can I find the ‘kill switch’ domain?
A: Two ‘kill-switch’ domains have been seen in the wild:
Q: Is the malware persistant and will it become active after a reboot of the end point.
A: Yes, a registry run-key is added to the registry:
Q: How can I check if an endpoint was infected?
A: Though there is no specific script there are several specific indicators for this ransomware campaign which can be used to detect compromised machines, such as:
Q: Is CIFS also vulnerable?
A: CIFS is a dialect of the SMBv1 protocol, and is impacted by this vulnerability.
Q: What impact will disabling SMB v1 have on end users?
A: Please note that this might differ depending on the situation. It is highly recommended to follow the best practices with regards to applying patches, meaning that a thorough impact assessment needs to take place to determine the actual impact of disabling SMBv1. Please note that at least those systems that could solely communicate via SMBv1 will be impacted, for example an old file sharing system.
Q: What are Anti-Virus vendors doing about this?
A: It seems logical that most cybersecurity companies are currently working on finding out all of the details that are related to this attack. It also seems very likely that all cybersecurity vendors are creating prevention and detection capabilities. Though new detection or prevention capabilities can only be applied if updates for these products are being downloaded and installed. We would not encourage customers to focus and wait on these vendors to prevent these kind of attacks but rather focus on installing the Microsoft update (MS17-010) that will prevent the spreading completely.
Q: What if infected laptops are currently offline because people are enjoying their weekends and are returning on monday?
A: It depends on which stage the infection is in the victim machine. If the machine has already been infected and was half way during the infection then it is very likely that the victim machine will continue encrypting files and start spreading when it will become active again. Therefor we strongly suggest to install the Microsoft update (MS17-010).
Q: What are the chances that a new campaign will be launched with more or improved functionality?
A: Based on our experience it is very likely that the same or other attacker(s) will start launching new campaigns rather sooner then later. We expect that they have learned from the small mistakes they have made in the initial version, such as not registering the ‘kill switch’ domain. They could also improve the malwares functionalities that can bypass current prevention or detection techniques. Therefor we strongly suggest to install the Microsoft update (MS17-010).
Additionally, the exploitation of this vulnerability will serve as an example for other (cyber) criminals seeking to achieve similar goals, so called copycats.Q: Do we have to block the the ‘kill switch’ domain in the firewall, or other security controls like Proxy Servers?
A: NO! Do not block access to the unique ‘kill switch’ domain as infected clients will then start using the SMB exploit against reachable machines that are vulnerable.
The unique ‘kill-switch’ domain has been registrered by a known security researcher. By doing this the ransomware and the spreading mechanism used in the current malware campaign will not function. If you block access to this domain then an infected client will start encrypting all of your files and will start spreading to available vulnerable devices.Q: Does the ‘kill-switch’ domain need a valid HTTP connection or is resolving this domain name enough for the malware to stop functioning?
A: Yes, the ‘kill-switch’ domain does need a valid HTTP connection to a webserver listening on port 80. If the malware is not able to make a succesfull connection on port 80 it will start the ransomware and spreading process.
Q: Is the Linux Samba equivalent also vulnerable?
A: No, the Linux Samba protocol is not vulnerable to this exploit, only the Microsoft SMB protocol, without the latest Microsoft patch (MS17-010) installed, is affected.
Q: There are some reports of WannaCry variants with no ‘kill-switch’ functionality, have you seen this?
A: Yes, Fox-IT has this variant. It seems that someone modified the original malware sample. Likely with a common tool like hexedit. There has been another sample where the ‘kill switch’ domain has been completely patched out, thus resulting in a corrupt binary. Fox-IT is actively monitoring for new versions of the WanaCry ransomware.Q: Has the ransomware’s implementation of the encryption process been looked at, to see if files are recoverable?
A: The crypto that is used in the malware seems to have been implemented in an unbreakable way. At this point decryption does not seem possible.
A: Fox-IT, like other security researchers, is investigating connections of WanaCry to other known groups.
How does the ransom payment work?
The WannaCry attackers request that the ransom be paid using Bitcoins. WannacCy generates a unique Bitcoin wallet address for each infected computer, however due to a race condition bug this code does not execute correctly. WannaCry then defaults to three hardcoded Bitcoin addresses for payment. The attackers are unable to identify which victims have paid using the hardcoded addresses, meaning that victims are unlikely to get their files decrypted.
The WannaCry attackers subsequently released a new version of the malware that corrected this flaw, however this version was not as successful as the original.
On May 18, a new notice was displayed on infected computers informing victims that files will be decrypted if the ransom is paid.
What are the details on Symantec's protection?Network-based protection
Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:
OS Attack: Microsoft SMB MS17-010 Disclosure Attempt (released May 2, 2017)
Attack: Shellcode Download Activity (released April 24, 2017)
What are best practices for protecting against ransomware?
New ransom ware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t delete them.
Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.
WannaCry/Wcry Ransomware: How to Defend against It
An unprecedented wave of ransomware infections is hitting organizations in all industries around the world. The culprit: the WannaCry/WCry ransomware (detected by Trend Micro as RANSOM_WANA.A and RANSOM_WCRY.I).
Trend Micro has been tracking WannaCry since its emergence in the wild in April 2017. Trend Micro™ XGen™ security has been protecting users from this and other threats using techniques like behavioral analysis and high fidelity machine learning. Here’s what users and enterprises need to know about this widespread threat and what can be done to defend against it.
What happened?
Several firms in Europe were the first to report having their mission-critical Windows systems locked, showing a ransom note. This quickly developed into one of the most widespread ransomware outbreaks currently affecting a large number of organizations around the world. Some affected organizations had to take their IT infrastructure offline, with victims in the healthcare industry experiencing delayed operations and forced to turn away patients until processes could be re-established.
Who is affected?
This variant of the WannaCry ransomware attacks older Windows-based systems, and is leaving a trail of significant damage in its wake. Based on Trend Micro’s initial telemetry, Europe has the highest detections for the WannaCry ransomware. The Middle East, Japan, and several countries in the Asia Pacific (APAC) region showing substantial infection rates as well.
WannaCry’s infections were seen affecting various enterprises, including those in healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.
What does WannaCry ransomware do?
WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.
WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.
What makes WannaCry’s impact pervasive is its capability to propagate.
Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.
What can you do?
WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.
[Infographic: A multilayered defense against ransomware]
Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:
· The ransomware exploits a vulnerability in SMB server. Patching is critical for defending against attacks that exploit security flaws. A patch for this issue is available for Windows systems, including those no longer supported by Microsoft. When organizations can’t patch directly, using a virtual patch can help mitigate the threat
· Deploying firewalls and detection and intrusion prevention systems can help reduce the spread of this threat. A security system that can proactively monitor attacks in the network also helps stops these threats
· Aside from using an exploit to spread, WannaCry reportedly also uses spam as entry point. Identifying red flags on socially engineered spam emails that contain system exploits helps. IT and system administrators should deploy security mechanisms that can protect endpoints from email-based malware· WannaCry drops several malicious components in the system to conduct its encryption routine. Application control based on a whitelist can prevent unwanted and unknown applications from executing. Behavior monitoring can block unusual modifications to the system. Ransomware uses a number of techniques to infect a system; defenders should do the same to protect their systems
· WannaCry encrypts files stored on local systems and network shares. Implementing data categorization helps mitigate any damage incurred from a breach or attack by protecting critical data in case they are exposed
· Network segmentation can also help prevent the spread of this threat internally. Good network design can help contain the spread of this infection and reduce its impact on organizations
· Disable the SMB protocol on systems that do not require it. Running unneeded services gives more ways for an attacker to find an exploitable vulnerability
What steps do I need to take to reduce the risk of infection?Implement the best practices
· Patch and update your systems, or consider a virtual patching solution.
· Enable your firewalls as well as intrusion detection and prevention systems.
· Proactively monitor and validate traffic going in and out of the network.
· Implement security mechanisms for other points of entry attackers can use, such as email and websites.
· Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
· Employ data categorization and network segmentation to mitigate further exposure and damage to data.
· Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.· Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010. FAQ on the WanaCry ransomware outbreak
Q: What makes this ransomware variant so dangerous?
A: This variant of WanaCry posesses the capability to spread itself as a so-called worm, beside the fact that the ransomware starts encrypting possible important data on systems. This means that the initial infection in a network is possibly not only system that could be impacted, but potentialy a large amount of systems in the internal network as well. This might result in your business processes coming to a grinding halt.
Q: What was the initial infection vector for the ransomware outbreak?
A: As there is no evidence that the initial infection vector is email, after 72 hours of research by the security community, Fox-IT believes the infection vector is more likely to be vulnerable machines directly exposing SMB to the internet.
At the moment it appears that the only confirmed infection vector is the usage of the ETERNALBLUE SMB exploit.
At the moment it appears that the only confirmed infection vector is the usage of the ETERNALBLUE SMB exploit.
Q: Which versions of Windows are vulnerable?
A: The SMB exploit works on all versions of Windows, which have not yet been patched by MS17-010 on the 14th of March 2017, except for Windows 10 and Windows Server 2016, as they are already protected in the default configuration.
Q: What about Windows XP?
A: Microsoft has also released a patch for the unsupported operating systems Windows XP and Windows Server 2003.
Q: Are we safe from WanaCry if we apply the security update to Windows Server 2003?
A: Yes, but the patch KB4012598 applies specifically to this SMB exploit, known as ETERNALBLUE. However, similar NSA exploits, leaked by the Shadow Brokers, for vulnerabilities in Windows Server 2003 and Windows XP were published that lead to remote code execution (RCE). This includes the ERRATICGOPHER exploit for SMBv1 and the ESTEEMAUDIT exploit for RDP, which could be repurposed by malicious actors to create the next ransomworm.
Q: How many endpoints are affected?
A: The sinkhole statistics currently show a total of 160,000+ infections, this amount is still rapidly increasing.
Q: Should we block the ‘kill-switch’ domain on our firewall/proxy?
A: No you should not. When the malware is capable of reaching the ‘kill-switch’ domain it will not further spread the malware. Please note that when you block this domain, it will in fact continue spreading both internal and external.
Q: Is the kill switch domain being monitored (counting infections, origin infections)?
A: Yes the sinkhole statistics can be found here.
Q: Do we expect new attacks with the same Modus Operandi (MO)?
A: This is very likely, as this is a lucrative way of earning money for criminals. It is unknown at what moment in time a new attack will start and we do not have indications at this point in time that another campaign is scheduled.
Q: Where can I find the ‘kill switch’ domain?
A: Two ‘kill-switch’ domains have been seen in the wild:
Q: Is the malware persistant and will it become active after a reboot of the end point.
A: Yes, a registry run-key is added to the registry:
Q: How can I check if an endpoint was infected?
A: Though there is no specific script there are several specific indicators for this ransomware campaign which can be used to detect compromised machines, such as:
Q: Is CIFS also vulnerable?
A: CIFS is a dialect of the SMBv1 protocol, and is impacted by this vulnerability.
Q: What impact will disabling SMB v1 have on end users?
A: Please note that this might differ depending on the situation. It is highly recommended to follow the best practices with regards to applying patches, meaning that a thorough impact assessment needs to take place to determine the actual impact of disabling SMBv1. Please note that at least those systems that could solely communicate via SMBv1 will be impacted, for example an old file sharing system.
Q: What are Anti-Virus vendors doing about this?
A: It seems logical that most cybersecurity companies are currently working on finding out all of the details that are related to this attack. It also seems very likely that all cybersecurity vendors are creating prevention and detection capabilities. Though new detection or prevention capabilities can only be applied if updates for these products are being downloaded and installed. We would not encourage customers to focus and wait on these vendors to prevent these kind of attacks but rather focus on installing the Microsoft update (MS17-010) that will prevent the spreading completely.
Q: What if infected laptops are currently offline because people are enjoying their weekends and are returning on monday?
A: It depends on which stage the infection is in the victim machine. If the machine has already been infected and was half way during the infection then it is very likely that the victim machine will continue encrypting files and start spreading when it will become active again. Therefor we strongly suggest to install the Microsoft update (MS17-010).
Q: What are the chances that a new campaign will be launched with more or improved functionality?
A: Based on our experience it is very likely that the same or other attacker(s) will start launching new campaigns rather sooner then later. We expect that they have learned from the small mistakes they have made in the initial version, such as not registering the ‘kill switch’ domain. They could also improve the malwares functionalities that can bypass current prevention or detection techniques. Therefor we strongly suggest to install the Microsoft update (MS17-010).
Additionally, the exploitation of this vulnerability will serve as an example for other (cyber) criminals seeking to achieve similar goals, so called copycats.Q: Do we have to block the the ‘kill switch’ domain in the firewall, or other security controls like Proxy Servers?
A: NO! Do not block access to the unique ‘kill switch’ domain as infected clients will then start using the SMB exploit against reachable machines that are vulnerable.
The unique ‘kill-switch’ domain has been registrered by a known security researcher. By doing this the ransomware and the spreading mechanism used in the current malware campaign will not function. If you block access to this domain then an infected client will start encrypting all of your files and will start spreading to available vulnerable devices.Q: Does the ‘kill-switch’ domain need a valid HTTP connection or is resolving this domain name enough for the malware to stop functioning?
A: Yes, the ‘kill-switch’ domain does need a valid HTTP connection to a webserver listening on port 80. If the malware is not able to make a succesfull connection on port 80 it will start the ransomware and spreading process.
Q: Is the Linux Samba equivalent also vulnerable?
A: No, the Linux Samba protocol is not vulnerable to this exploit, only the Microsoft SMB protocol, without the latest Microsoft patch (MS17-010) installed, is affected.
Q: There are some reports of WannaCry variants with no ‘kill-switch’ functionality, have you seen this?
A: Yes, Fox-IT has this variant. It seems that someone modified the original malware sample. Likely with a common tool like hexedit. There has been another sample where the ‘kill switch’ domain has been completely patched out, thus resulting in a corrupt binary. Fox-IT is actively monitoring for new versions of the WanaCry ransomware.Q: Has the ransomware’s implementation of the encryption process been looked at, to see if files are recoverable?
A: The crypto that is used in the malware seems to have been implemented in an unbreakable way. At this point decryption does not seem possible.
A: Fox-IT, like other security researchers, is investigating connections of WanaCry to other known groups.
Comments
Post a Comment