What is WannaCry?
WannaCrypt, aka WanaCrypt0r 2.0, WannaCry and WCry, is a new ransomware that hit over 74 countries in the last 24 hours, which spreads like a worm by leveraging a Windows vulnerability (MS17-010) that has been previously fixed by Microsoft in March of this year. WannaCry is a form of “ransomware” that locks up the files on your computer and encrypts them in a way that makes them unavailable to you anymore.
The express train speed with which this has spread indicates users have not yet installed the security patch released in March (MS17-010) or they are still running an unsupported version of Windows for which Microsoft is no longer providing any any security update. Once it infects your machine, WannaCry demands payment in Bitcoin, gives instructions on how to buy it, and provides a Bitcoin address to send it to. What makes this different from previous ransomware is that its designers have supercharged it by using tools leaked by the super hackers at US National Security Agency (NSA).
Here are some quick links to much more technical details the team at The Register have gathered:
- Cisco’s Talos team has dissected the malware, describing its components.
- A scrapbook page linking to samples of the malware, its command-and-control addresses, Bitcoin wallet addresses for ransoms, and so on.
- A decrypted sample of the software nasty is here.
- An exploit for MS17-010 written in Python with example shellcode. This is based on the Eternalblue tool stolen from the NSA, and was developed by infosec biz RiskSense. It reveals that the SMB server bug is the result of a buffer overflow in Microsoft’s code. A 32-bit length is subtracted into a 16-bit length, allowing an attacker to inject more data than they should into the networking service and ultimately hijacking the system. Disabling SMBv1 disables the bug, and is recommended in any case. You should also firewall off SMB ports 139 and 445 from the outside world, and restrict access to the service where possible on internal networks.
- You can track infections in real time, here. There are at least 104,000 identified infected hosts worldwide.
- MalwareBytes has a study of the worm component, here.
- Microsoft has advice for customers, here. There’s also an emergency patches for operating systems as far back as WindowsXP, here. Please install them if you need to.
How The Heck Is WannaCry Spreading?
Any ransomware infection typically leverages spam, phishing or some form of social engineering as its primary attack vector, fooling users into downloading and executing a malicious file attachment.
FoxIT researchers have discovered that WannaCry is also leveraging a social engineering variant of the ransomware that is initially distributed via an email containing a link or a PDF file with payload, which when clicked, installs WannaCry on the targeted system. WannaCry then attempts to leverage its newfound foothold to disseminate copies of itself through the infected host’s network.
The Hacker News is reporting that once executed, the self-spreading WannaCry ransomware does not infect the targeted computers immediately, as malware reverse engineers found that the dropper first attempots to connect the following domain, which was initially unregistered:
If the connection to the above-mentioned unregistered domain fails (which it obviously should), the dropper proceeds to infect the system with the ransomware that would start encrypting files. But if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module.
As of now, over 100 countries have been infected:
How To Protect Yourself From WannaCry?
Patching makes Perfect. First, if you have not already patched your Windows machines and servers against the Microsoft vulnerability exploit (MS17-010), do it right now. Microsoft’s Windows Defender AV detects and removes this threat. as well.
To reduce the possibility of becoming infected with ANY ransomware infection, do not open uninvited emails, emails from people or businesses you do not recognize and NEVER click on any attachments unless you know what you are opening. And as a best practice you should always backup your files to some type of external device that is not connected to your PC or your network.
If you don’t have an AntiVirus software package running on your PC (what are you thinking) then install one ASAP and keep the definitions up to date. Most, if not all Av packages will automatically update the virus definitions but it’s up to you to set up an effective scanning solution.