The WannaCry ransomware, also known as wncry, has been attributed to the recent U.K.’s National Security Agency (NSA) cyberattack. It has infected the systems of at least 16 U.K. trusts and is spreading worldwide. Reports from Spain’s computer response team CCN-CERT reported that telecommunications firm Telefonica was hit as well.
What is Ransomware?
Ransomware is a type of malicious software that can prevent you from using your PC normally. Ransomware can stop certain applications from running (e.g. Web browser), encrypt files on your system and demand that you pay a “ransom” to gain access to your files. However, there is no guarantee that paying the fine will you access back to your files.
The ransomware encrypts files on the infected host and changes the extensions to .wnry, .wcry, .wncry and .wncrypt. The lockscreen payment instructions are for the user to send around $300 worth of bitcoin to an anonymous address.
The attack appears to be using a Windows Server Message Block (SMB) exploit using EternalBlue / DoublePulsar. Microsoft released a patch for this in March for the following affected operating systems: Windows Vista, 7, 8, 10 and versions of the Windows Server software.
The source of infection has yet to be determined, but it is most likely that it spread via phishing email. Below is an excerpt from a threat analysis done by MalwareBytes:
“ …the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).
The WinMain of this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.
This was probably some kind of kill switch or anti-sandbox technique… Therefore, nothing will happen on any new systems that runs the executable.”
Due to the proliferation and criticality of this attack, Microsoft has availed security updates for unsupported systems that did not receive March’s security update. They had this to say regarding unsupported operating systems in the wake of the WannaCry ransomware attacks:
“We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download…”
You can read Microsoft’s Customer Guidance for WannaCrypt Attacks here.
Check out the following Indicators of Compromise (IOCs):
IP Address / Ports
At the time of this post, it seems there has been a slow-down in the continued amount of infections worldwide (live tracking) after security researchers registered the domain that WannaCry attempts to connect to during the initial execution stages.
- Patch your systems
- Back up your data regularly and ensure you keep off-site copies
- Be cautious about unsolicited emails and attachments