Category: Ransomware

Your allowed to WannaCry now as it’s not over!

Your allowed to WannaCry now as it’s not over!

Friday is typically a day when everyone’s thought is on the weekend; time to relax, time to escape from work for a precious two days. Friday 12th May 2017 was not one of those days, that Friday the RansomWare game was changed, enter “WannaCry”.

As this particular Friday unraveled computer systems around the world were being taken down; from Telefonica in Spain, the NHS in the UK and FedEx in the US, my own first thoughts when I saw on the news that the NHS was facing major systems outages due to a new RansomWare strain was first “oh great another variant” and second “I wonder how it got in a spread so quickly, it almost looks like a coordinated attack given how much of the NHS has been hit”. Quickly news started to spread about it and the name was out for this new malware “WannaCry” (also known as “WCry” and “WannaDecrypt0r”) and by the evening everyone had heard of it.

WannaCry is just the payload, once that payload is delivered the target system is encrypted and a message is displayed ordering you to pay to get your files back, so the payload itself is a pretty standard form of RansomWare. The intriguing part is the delivery system which makes use of the EternalBlue exploit from the NSA toolkit released last month, via this exploit the payload can then be spread to nearly any Windows devices on the same network as the infected machine. The EternalBlue exploit allows the malware the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, it compromises hosts, encrypting the files stored on them and then demanding a ransom payment in the form of Bitcoin all the while scanning and spreading more allowing the payload to spread quickly around the network with no admin credentials required. An important note to make is that the malware is not just able to spread via internal networks but also externally facing hosts across the internet.

WannaCry primarily utilizes the EternalBlue exploit but is also used in conjunction with the DoublePulsar backdoor. EternalBlue is utilized for the initial exploitation of the SMB vulnerability, if successful then the DoublePulsar backdoor is implanted which in turn is used to install the malware. Microsoft had released security patches for all Operating Systems currently in support and extended support, these were released back in March although this resolves the ExternalBlue exploit this does not necessarily mean you are protected as WannaCry is designed so that if the EternalBlue exploit fails it will proceed and check if the target already has the DoublePulsar back-door installed. This could have been installed prior to the patch by another hacker, even the NSA since this was originally part of their hacking toolkit before ShadowBrokers publicly released it.

On Friday evening the first variant was halted by a British security researcher MalwareTechBlog  who after analyzing some of the code found it pointed to an unregistered domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com) and so decided to buy the domain and sinkhole it. Now maybe I am pessimistic but upon hearing this I immediately thought one thing “it’s not over, this is just the start”, and over the weekend I started to try to gather more and more information on this to understand it, the logical next step for the WannaCry creators is to change the kill-switch or to remove it entirely, without a kill-switch this would be a complete nightmare for all sysadmins around the world.

Throughout the weekend Security Researchers have been working to get hold of some of the samples to break them down and understand them, one researcher from France who uses the twitter handle @benkow_ discovered a new variant, WannaCrypt0r 2.0, he in turn sent it onto anothe IT Security Researcher Matthieu Suiche for an in-depth analysis. Upon analyzing, Matthieu discovered a kill-switch again but this one linked to another domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com). Matthieu has since added a post to his blog explaining how he found it and registered the domain.

Working with MalwareTech, Matthieu transferred this additional domain to MalwareTech’s sinkhole, to which MalwareTech posted the below to Twitter.

“Thanks to @benkow_ who found what looks like a new ‘kill switch’ domain and @msuiche who registered it and transferred it to our sinkhole.”

Earlier I thought “it’s not over” and it appears I might be right, the predictions that the fast-spreading WannaCry RansomWare would quickly evolve to get around its domain-based kill switch were everywhere, and, well… the predictions are starting to come true, we are already seeing reports of different domain names being used and a few where researchers have claimed to have found some without any kill-switch whatsoever, (these researchers have since back tracked and it looks like they might have not been using a fresh sample from the wild). I still believe that the kill-switch will be removed, it might not be done by the original creators but by a copycat group but the exploits and code is out there so its just a matter of time.

The taking down of these kill-switches is just a temporary measure; one should expect new variants released and as such security measure should be implemented now to prevent falling victim later.

  1. Do not open an unknown email
  2. Do not download files from an unknown email
  3. Do not click files from an unknown email
  4. Avoid visiting malicious sites
  5. Do not download software and apps from a third-party store/website
  6. Enable “Show hidden file extensions” and only open a file if its the extension you expect
  7. Apply any pending software updates and keep them up-to date
  8. Make sure you are using a reputable security suite/Anti-Virus
  9. Back up your data on a regular basis
  10. Use System Restore to get back to a known-clean state

What additional steps Microsoft users should take?

Microsoft Windows is the ultimate target of this cyber attack since WannaCry exploits a security flaw within the SMB protocol, to mitigate the risk patch MS17-010 should be applied urgently if not already applied, to aid in this please find below the direct links to each download from Microsoft:

Windows XP SP3 //download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

Windows Vista x86 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu

Windows Vista x64 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 7 x64 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 7 x86 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu

Windows 8 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu

Windows 8.1 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 10 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu

Windows 2003 x86 //download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe

Windows 2003 x64 //download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Windows 2008 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 2008R2 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 2012 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu

Windows 2012R2 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 2016 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu

WannaCRY and the DoublePulsar Exlpoit

WannaCRY and the DoublePulsar Exlpoit

As many saw yesterday the NHS faced a major outage and they were not alone, yesterday saw a mass outbreak of a new strain of RansomWare called “WannaCRY” (aka #WanaCypt0r aka #WCry), this may act like a normal RansomWare (in the sense that it encrypts all your files and demands a Ransom) but it does not necessarily get into systems like we have seen before.

On April 14th, 2017 some of you may have seen that group “Shadow Brokers” released a collection of tools that the NSA was using for hacking and taking unrestricted control of systems around the world, they did try to auction this off last year but were unsuccessful and so chose to release it to all. Within this collection of tools is one that has enabled the global attack yesterday, it has been dubbed the name “EternalBlue” and uses the SMBv1 and SMBv2 protocol of which when paired with “DoublePulsar” (Also in the NSA toolkit) DoublePulsar can then inject DLL’s into the target system enabling the attacker to take full control of the target system. To see how it works check out this link.

This is a very serious attack vector and Microsoft did release a patch on March 14th for it (before Shadow Brokers released it to all), the Microsoft patch is MS17-010 of which a breakdown of that can be found here.

Given the seriousness of this attack vector it is imperative to ensure that all of you business and personal Windows devices are patched an upto date, Microsoft have also released patches last night for some EOL (End of Lifetime) Operating Systems to try and minimize the risk to customer systems. The EOL devices added to receive these patches are for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

Extract from Microsoft Statement: “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download. This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

MalwareTech has also released a blog post explaining how he stopped WannaCRY in its tracks to read it follow this link.