Last Friday, May 12, a large-scale ransomware attack affected several organizations around the world, with more than 200,000 infections in more than 150 countries.
The malware, known as ‘WannaCry’ has the capability to scan port TCP 445 (Server Message Block/SMB) spreading like a worm by exploiting CVE-2017-0147 (MS17-010) using the ETERNALBLUE modules and the DOUBLEPULSAR backdoor brought to the public by The Shadow Brokers group last April.
After compromise it will encrypt files on the infected system and demand a ransom between EUR 270 and EUR 550.
There are still no evidences on the initial vector of compromise. Some reports suggested that an email with a zip and/or pdf attachments led to WannaCry infections, but all the emails analyzed were from a distribution campaign of the Jaff ransomware that occurred less than 24 hours before WannaCry first appeared and are not related.
A possible vector of compromise is via tcp/445 (SMB), since the malware employs a worm that exploits vulnerabilities in SMB, a machine exposing this service to the Internet, either in a corporate network or on a laptop system, could then be used to infect systems inside a network due to either bad network segmentation or mobility of the users between domestic and corporate networks.
The malware consists of two components: a main component that contains the worm capability via SMB and a ransomware component (WannaCry itself). When the malware runs, it makes a request to the domain www[.] Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, in case it receives a valid HTTP response the worm component is not executed, preventing its dissemination. This domain functions as a "killswitch" and is thought to have been purposely placed by the author(s) to control the level of malware spread, preventing it from infecting other systems both local and on the Internet if the domain is active.
There are 3 known Bitcoin wallets where the ransom payments are made. At 10:20 on May 15, these wallets accounted for a total of about EUR 45,000, for an estimated of 187 payments made to the criminals.
How to protect against WannaCry Ransomware:
- Install the Windows security update for MS17-010 on all systems on the network. Microsoft made the same available for systems that are no longer supported, such as Windows XP.
- Disable version 1 of SMB (SMBv1) in the Windows domain or on all Windows systems on the network.
- Do not block the domain www[.]Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Unlike normal, this domain prevents the worm from being activated and the malware expects to receive a valid response from it so that it does not propagate to other systems on the local network or on the Internet.
- Because the domain is now operated by researchers and not by criminals, you can let traffic from infected systems to it pass through your network.
- If this is not an option, create a DNS zone for this domain and point it to an internal webserver that can return a valid HTTP response. This option should also be followed by those who have a non-transparent proxy on the network, since the malware does not work well through proxies and as such will never receive a valid response.
- If you have systems already infected, do not pay the ransom, do not be part of the 0.0001% that is paying the criminals.
In general, keep your systems up-to-date and perform backups on a regular basis. Prevention is still the best strategy to combat ransomware.
For more information on ransomware in general, visit the No More Ransom project.
The Anubis Labs team is tasked with the ongoing effort to discovery new threats, track and collect intelligence about malware and botnets and figure out the best approach to let our customers have a good insight on their threat landscape.