Last Friday, May 12, a large-scale ransomware attack affected several organizations around the world, with more than 200,000 infections in more than 150 countries.
The malware, known as ‘WannaCry’ has the capability to scan port TCP 445 (Server Message Block/SMB) spreading like a worm by exploiting CVE-2017-0147 (MS17-010) using the ETERNALBLUE modules and the DOUBLEPULSAR backdoor brought to the public by The Shadow Brokers group last April.
After compromise it will encrypt files on the infected system and demand a ransom between EUR 270 and EUR 550.
There are still no evidences on the initial vector of compromise. Some reports suggested that an email with a zip and/or pdf attachments led to WannaCry infections, but all the emails analyzed were from a distribution campaign of the Jaff ransomware that occurred less than 24 hours before WannaCry first appeared and are not related.
A possible vector of compromise is via tcp/445 (SMB), since the malware employs a worm that exploits vulnerabilities in SMB, a machine exposing this service to the Internet, either in a corporate network or on a laptop system, could then be used to infect systems inside a network due to either bad network segmentation or mobility of the users between domestic and corporate networks.
The malware consists of two components: a main component that contains the worm capability via SMB and a ransomware component (WannaCry itself). When the malware runs, it makes a request to the domain www[.] Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, in case it receives a valid HTTP response the worm component is not executed, preventing its dissemination. This domain functions as a "killswitch" and is thought to have been purposely placed by the author(s) to control the level of malware spread, preventing it from infecting other systems both local and on the Internet if the domain is active.
There are 3 known Bitcoin wallets where the ransom payments are made. At 10:20 on May 15, these wallets accounted for a total of about EUR 45,000, for an estimated of 187 payments made to the criminals.
In general, keep your systems up-to-date and perform backups on a regular basis. Prevention is still the best strategy to combat ransomware.
For more information on ransomware in general, visit the No More Ransom project.
© AnubisNetworks 2023 • [EN] Privacy Policy • [PT] Política de Privacidade • Cookie Policy