Ransomware Awareness: WanaCrypt0r 2.0

Summary

Huge cyber-attack leveraging hacking tools widely believed to have brought disruption to Britain’s National Health System (NHS) on May 12th, 2017 and infected 99 other countries around the world.

Detailed Information

Ransomware is malicious software that infects machines, locks them by encrypting data and then extorts money to let users back in.

The malware that has affected Telefónica in Spain and the NHS in Britain is the same software, a piece of ransomware first spotted in the wild by security researchers MalwareHunterTeam, at 9:45 am on 12 May.

Less than four hours later, the ransomware had infected NHS computers, originally only in Lancashire, and spread laterally throughout the NHS’s internal network. It is also being called Wanna Decryptor 2.0, WCry 2, WannaCry 2 and Wanna Decryptor 2.

WanaCrypt0r 2.0 is asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers.

Technical Details

Samples show the WannaCry malware with no AV detection.  There is a Visual Basic Script file (VBS) packaged with some binaries hinting at possible initial infection vectors via emails with linked or attached Microsoft Office documents.

Once installed, it encrypts files using AES and RSA encryption.  More details on the delivery and infection mechanisms will be relayed as more details become available

Microsoft issued a patch for affected versions of Windows, ensuring that the vulnerability couldn’t be used to spread between fully updated versions of its operating system. But for many reasons, from lack of resources to a desire to fully test new updates before pushing them out more widely, organizations are often slow to install such security updates on a wide scale.

Indicators of Compromise

Please look for the following indications for a possible compromise. Even if you don’t find the below indicators, please go to “corrective action” section to make sure no future attack from this malware exists.

Registry Keys

HKEY_LOCAL_MACHINE\Software\WanaCrypt0r

Files created

%TEMPT5%\m.vbs
%TEMP%\b.wrny
%TEMP%\c.wrny
Tasks.exe
Taskdl.exe
@Please_Read_Me@.txt
@WanaDecryptor@.exe

 

File Strings

Wanna Decryptor 1.0
Wana Decrypt0r
Wana Decryptor
WANNACRY
WanaCrypt0r
WANACRY!
WNcry@2ol7

Corrective Action

  • Server Message Block (SMB) Protocol is a network file sharing protocol and should be disabled if not required for business use.
  • MS17-010 use has confirmed, and that vulnerability be patched immediately.

 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  • All SMB-related patches should be applied to servers as soon as practical.
  • Any Microsoft updates that haven’t been applied to servers should be applied as soon as possible.
  • Notice to all users should be sent regarding this attack and a reminder about clicking links or opening files in emails from suspicious or unknown sources should be sent
  • Review current backup policies and procedures and be prepared to perform a restore in case of infection – it is never a good idea to pay the ransom in a ransomware attack if at all avoidable.
  • Disable default user accounts
  • Turn on Data Execution Prevention (DEP) for systems that support it. 

Additional References

http://www.liverpoolecho.co.uk/news/liverpool-news/nhs-cyber-attack-hacked-ransomware-13026974

http://www.bbc.com/news/health-39899646

https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20

http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/

http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-attack-hits-englands-nhs-hospital-system-ransoms-demanded