This threat brief describes the WannaCry ransomware and how to protect yourself against it. We expect new variants of the ransomware to emerge throughout the week; they will seek to exploit the vulnerability in Microsoft Server Message Block (SMB) that WannaCry has been using. It is critical that Windows users protect themselves against this threat immediately.
Threat details [1]
- Virus name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt or WCRY.
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Symptoms on infected systems: Files are encrypted with the .wnry, .wcry, .wncry, and .wncryt End users see a screen with a ransom message demanding between $300 to $600. On restarting, affected machines show a blue screen error and do not start.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DoublePulsar backdoor. It corrupts shadow volumes to make recovery harder.
- Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up, the virus exits instead of infecting the host. This domain has been sinkholed, which has stopped the worm from spreading.
How to protect yourself
- If you use Windows, install the patch Microsoft released to block the specific vulnerability that the WannaCry ransomware exploits. You can find instructions on this page in the Microsoft Knowledge Base.
- If you are using an unsupported version of Windows, like Windows XP, Windows 2008 or Server 2003, you can get the patches for your unsupported OS from the Microsoft Update Catalog. We recommend that you update to a supported version of Windows as soon as possible.
- Update your antivirus software definitions. Most AV vendors have now added detection capability to block WannaCry.
- Back up regularly and make sure you have offline backups. That way, if you are infected with ransomware, your backups won’t be encrypted.
- Organisations should also be monitoring their logs closely for suspicious activity across firewalls and anti-virus software.
Possible file decryption solution
An encryption key for WannaCry has not yet been discovered. However, security researchers at McAfee say they have developed an experimental file recovery method named “file carving” for files encrypted by WannaCry ransomware. They warn that the technique is “provided as is, we accept no responsibility if things don’t go as expected”. However, if your files are all encrypted and you don’t have a backup, you typically don’t have much to lose. More details are available in a post from McAfee in The SC Media Blog.
Resources
- The WannaCrypt0r Factsheet: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168.
- A detailed description of the worm and the exploit it uses to spread from Malwarebytes: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/.
- Coverage analysis from VirusTotal, showing which signatures/files are being detected by antivirus vendors, when they were first submitted to VirusTotal and the names of each component each AV vendor is using: https://docs.google.com/spreadsheets/u/1/d/1XNCCiiwpIfW8y0mzTUdLLVzoW6x64hk
- Customer guidance from Microsoft: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/.
IT Governance cyber security and technical services
We have a team of account managers and security consultants available to discuss your cyber security challenges. IT Governance’s cyber security consultancy and technical services are delivered by a team of experienced in-house consultants and penetration testers who have a deep understanding of the range of cyber risks faced by organisations today, enabling you to implement the best possible security solutions for your budget and requirements.
Find out more about how to identify current risks in your existing systems and processes, or how to proactively detect and prevent internal and external threats.
[1] Adapted from the WannaCrypt0r Factsheet, https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168.
