The WannaCry ransomware, also known as wncry, has been attributed to the recent U.K.’s National Security Agency (NSA) cyberattack. It has infected the systems of at least 16 U.K. trusts and is spreading worldwide. Reports from Spain’s computer response team CCN-CERT reported that telecommunications firm Telefonica was hit as well.

What is Ransomware?

Ransomware is a type of malicious software that can prevent you from using your PC normally. Ransomware can stop certain applications from running (e.g. Web browser), encrypt files on your system and demand that you pay a “ransom” to gain access to your files. However, there is no guarantee that paying the fine will you access back to your files.

WannaCry Ransomware

The ransomware encrypts files on the infected host and changes the extensions to .wnry, .wcry, .wncry and .wncrypt. The lockscreen payment instructions are for the user to send  around $300 worth of bitcoin to an anonymous address.

Wanna-Decryptor

The attack appears to be using a Windows Server Message Block (SMB) exploit using EternalBlue / DoublePulsar. Microsoft released a patch for this in March for the following affected operating systems: Windows Vista, 7, 8, 10 and versions of the Windows Server software.

The source of infection has yet to be determined, but it is most likely that it spread via phishing email. Below is an excerpt from a threat analysis done by MalwareBytes:

“ …the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).

The WinMain of this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique… Therefore, nothing will happen on any new systems that runs the executable.”

Due to the proliferation and criticality of this attack, Microsoft has availed security updates for unsupported systems that did not receive March’s security update. They had this to say regarding unsupported operating systems in the wake of the WannaCry ransomware attacks:

“We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download…”

You can read Microsoft’s Customer Guidance for WannaCrypt Attacks here.

Check out the following Indicators of Compromise (IOCs):

IP Address / Ports

197.231.221.211:9001
128.31.0.39:9191
149.202.160.69:9001
46.101.166.19:9090
91.121.65.179:9001
197.231.221.211
128.31.0.39
149.202.160.69
46.101.166.19
91.121.65.179

Domains

http://www.btcfrog.com/qr/bitcoinpng.php?address
http://www.rentasyventas.com/incluir/rk/imagenes.html
http://www.rentasyventas.com/incluir/rk/imagenes.html?retencion=081525418
http://gx7ekbenv2riucmf.onion
http://57g7spgrzlojinas.onion
http://xxlvbrloxvriy2c5.onion
http://76jdd2ir2embyv47.onion
http://cwwnhwhlz52maqm7.onion

MD-5 Hashes

5a89aac6c8259abbba2fa2ad3fcefc6e
05da32043b1e3a147de634c550f1954d
8e97637474ab77441ae5add3f3325753
c9ede1054fef33720f9fa97f5e8abe49

SHA-1 Hashes

6fbb0aabe992b3bda8a9b1ecd68ea13b668f232e

SHA-256 Hashes

0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd
228780c8cff9044b2e48f0e92163bd78cc6df37839fe70a54ed631d3b6d826d5
2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
3ecc7b1ee872b45b534c9132c72d3523d2a1576ffd5763fd3c23afa79cf1f5f9
43d1ef55c9d33472a5532de5bbe814fefa5205297653201c30fdc91b8f21a0ed
49fa2e0131340da29c564d25779c0cafb550da549fae65880a6b22d45ea2067f
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
616e60f031b6e7c4f99c216d120e8b38763b3fafd9ac4387ed0533b15df23420
66334f10cb494b2d58219fa6d1c683f2dbcfc1fb0af9d1e75d49a67e5d057fc5
8b52f88f50a6a254280a0023cf4dc289bd82c441e648613c0c2bb9a618223604
8c3a91694ae0fc87074db6b3e684c586e801f4faed459587dcc6274e006422a4
aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

At the time of this post, it seems there has been a slow-down in the continued amount of infections worldwide (live tracking) after security researchers registered the domain that WannaCry attempts to connect to during the initial execution stages.

Countermeasures:

  1. Patch your systems
  2. Back up your data regularly and ensure you keep off-site copies
  3. Be cautious about unsolicited emails and attachments

References:

The Register  |  Wired  |  Naked Security  |  Network World  |  BlueLiv

Advertisements

One thought on “WannaCry Ransomware Causes Havoc Worldwide

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s