The WannaCry outbreak got started by infecting a small number of vulnerable machines.
- Wanna Cry Doublepulsar Windows 7 Torrent
- Wanna Cry Doublepulsar Windows 7 64-bit
- Wanna Cry Doublepulsar Windows 7 Iso
- If you are running an older Windows system — Windows 2000, Vista, XP, Windows 2003, Windows 2008, or Windows 7 — you can go here to install the patches and keep your system safe.
- The WannaCry (or WannaCrypt) ransomware hack that impacted businesses worldwide was most successful on Windows 7 computers. It was believed that computers running older systems were most vulnerable to the ransomware attack. That turned attention to systems like Windows XP and Vista, still in use on a large number of computers today.
- Extract the.zip file to a folder on your desktop. If you downloaded it on a machine other than the one hit by WannaCry, move the file to a USB drive and run it on the infected computer from the.
Need information for WannaCry?
Summary - 5-Jul-2017
Talos published a post describing the complete timeline of the NotPetya campaign, starting from infection at MeDoc to delivery : The MeDoc Connection.
Summary - 4-Jul-2017
Kaspersky published an article claiming that around the same time of the delivery of NotPetya another malware, also ransomware, was delivered via the update servers of MeDoc : In ExPetr/Petya's shadow, FakeCry ransomware wave hits Ukraine. The ransomware contains a number of false flags to make it look like Wannacry.
Summary - 3-Jul-2017
There is little hope for those who payed the ransom in the hopes of unlocking encrypted hardware and recovering scrambled files. Researchers from Kaspersky Lab have discovered an error in the malware's code that prevents recovery of data. The ransomware part in NotPetya was a lure for the medea, whereas the real objective was the wiping of systems.
For those who'd like to disable the execution of psexec, please refer to this the blog article : Petya: disabling remote execution of psexec.
Summary - 30-Jun-2017
A number of security companies investigate on attribution or linking this campaign to previous malware campaigns.
- Petya: 'I Want To Believe', an excellent write-up by F-Secure on the doubts you need to have when doing attribution.
- TeleBots are back: Supply-chain attacks against Ukraine, ESET makes reference to a PHP backdoor that was installed on the MeDoc servers.
- Ukraine's ransomware attack was a ruse to hide culprit's identity, researchers say, a story on attribution by The Washington Post
Summary - 29-Jun-2017
So far no infection method via email has been found. This also means that the phishing delivering method is wrong and that CVE-2017-0199 did not play a role. The IPs listed in the IOC list are also not related to NotPetya. It doesn't harm monitoring these IPs for other ransomware waves (Loki?) but it will not protect you against NotPetya.
The update request for MeDoc seems to be querying the domain upd.me-doc.com.ua. If you are unsure if your organization uses MeDoc you can use your proxy server logs to track connections.
As extra migitation actions, next to those listed below :
- Use network segmentation to limit the spread via 'normal' Windows tools
- Prevent the re-use of administrative credentials on different machines
- Limit the use of administrative sessions
Also read the excellent analysis by Cisco Talos
Summary - 28-Jun-2017
Information that is currently know about the NotPetya ransomware attack.
How did all started?
Rhere are two main delivery methods known :
- An attack on the update process of MeDoc.
MeDoc is tax accounting software. The updating process (EzVit.ex) executes a command that matches the attack pattern (C:Windowssystem32rundll32.exe ' 'C:ProgramDataperfc.dat',#1 30). - Phishing emails that deliver an infected Excel document.
Initial reports mentioned exploiting CVE-2017-0199 (a vulnerability in Microsoft Office/WordPad that allows remote code execution) but this is not confirmed, those initial reports might confuse with a simultaneous incident taking place in Ukraine, probably distributing Loki;
Note that the initial spreading did not take place via exploits from the Shadow Brokers leak of NSA tools. Compared to WannaCry, spreading takes place on the internal network, once the attackers already had a foothold in the network of the victim.
Kaspersky reported that NotPetya was also delivered via a watering hole attack to spread via a drive-by download. The sources of this attack have been cleaned.
Once inside a network, what happens next?
The malware has a set of capabilities allowing to work his way through the network of a victim. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for all the details :
- Credential stealing
The tool uses functionalities similar to Mimikatz to dump credentials by accesses the Windows LSASS process. If a user logs in with administrator capabilities these credentials are used to attempt to spread to other machines that have the same credentials. It will not only scan for administrator credentials but search for all other credentials available in the credential store. Similar it will also try to use the credentials that are used for the active open sessions. If it finds credentials starting with 'TERMSRV/' of type 1 (generic) it will use that credential to propagate via the network - Spreading via file-shares
The malware scans the network for machines with open port tcp/139 and tcp/445. It it's being run on servers it will first attempt to get a list of DHCP leases. If a scan is successful it attempts to copy a binary to the remote machine with the stolen credentials. - Using 'normal' Windows features to deliver the payload
It attempts to execute the malware remotely via PSEXEC or WMIC tools and attempts to drop psexec.exe (renamed to dllhost.dat). It then scans for admin$ shares and executes the malware via PSEXEC. It will also use WMIC to find remote shares and then using the existing user session or one of the credentials found to propagate itself. - Exploit vulnerabilities in SMB
It uses ETERNALBLUE (CVE-2017-0144) or ETERNALROMANCE (CVE-2017-0145) to exploit a vulnerability in SMBv1. Both vulnerabilities were patched in MS17-010.
Once it infects a host the further behavior depends on the malware process privilege level and the processes found to be running on the machine. Depending on processes found it will not infect the MBR or do network spreading via SMB.
If it does start encrypting the MBR, it will also schedule a reboot via a scheduled task (starts at a random time interval, between 10-60 minutes after infection).
Regardless of the privileges, it will always attempt to encrypt files on all fixed disks. It does not encrypt files in C:Windows. There is no file extension added to encrypted files, the files are overwritten.
Note that by using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10.
Logs are also deleted (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:v)
The code that is used for ETERNALBLUE is a cleaned-up code compared to sample used with WannaCry. This indicates some thought has been given to run this campaign.
Mitigation
- Machines that have MS17-010 installed or have SMBv1 disabled are not affected by network spreading via ETERNALBLUE or ETERNALROMANCE (but can still be infected via PSEXEC/WMIC)
- Filter traffic on tcp/139 and tcp/445 (inbound)
- Monitor network flows for tcp/139 and tcp/445 (use for example netflow)
- Disable or limit remote WMI
- Block the execution of PSEXEC, for example via an endpoint protection solution
- Monitor network traffic to 95.141.115.108, 185.165.29.78, 84.200.16.242, and 111.90.139.247
- Raise awareness among your users to be vigilant when receiving 'suspicious' mails with attachments
- Apply the kill switch on infected machines to prevent further encryption
- Monitor laptops that have been connect to other networks; if one infected laptop gets introduced on your network the malware can spread, even if all your other machines are patched!
- Backups!
There is a kill switch, but differently to WannaCry where it required a functioning network connection to a domain this kill switch has to be applied locally. Creating a file C:Windowsperfc should prevent the encryption. Do note that the kill switch does not prevent network spreading, it only prevents a machine from getting encrypted. Placing perfc will only protect against current versions. NotPetya checks for a file with the same name as the filename that it was started from. If this gets changed to abcdef.dll the new variants will check for 'C:Windowsabcdef
Is it really ransomware? Or a wiper?
The malware itself is well written and goes to a couple of hoops to bypass AV detection (making use of a fake Microsoft signature and using XOR encrypted shellcode payload). On the other the payment chain (which is, from an attacker point of view the 'return on investment' part) is very bad. A nummber of reports came out that this worm is not meant to 'montize' but rather to cause as much damage as possible, see Pnyetya: Yet Another Ransomware Outbreak.
Summary - 27-Jun-2017
The ransomware is delivered via 'normal' Office documents, by the modified ETERNALBLUE exploit or by an attack against the update mechanism of MeDoc.
The ransomware captures credentials for spreading, using tools similar to Mimikatz. Credentials are extracted from the lsass.exe process. These credentials are then passed on to PsExec or WMIC for further spreading.
The malware waits 10-60 minutes after infection to reboot the system. Once rebooted it starts to encrypt the MFT table in NTFS partitions.
It spreads by enumerating all known server names via NetBIOS and also retrieves a list of DHCP leases. Each IP that has port 445 or 139 open is attacked.
What is the Petya ransomware?
The Petya ransomware, also known as Petwrap, is ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one. Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
The current wave of Petya uses worm-like behaviour by exploiting ETERNALBLUE (also see the WannaCry advice) and CVE-2017-0199.
Note that according to Kaspersky this variant is not related to known version of Petya, hence the name NotPetya.
No Internet worm
The spreading of the worm seems to be limited to the local network.
See https://community.rapid7.com/community/infosec/blog/2017/06/27/petya-ransomware-explained and https://blog.fox-it.com/2017/06/27/liveblog-huge-petya-ransomware-wave/. According to Fox-IT this is because it looks at the DHCP leases. This is confirmed by Kaspersky : The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked.
The local spreading means that there is another initial infection vector. According to Rapid7 this happened via the (normal) ransomware infection, a weaponized document that gets opened by a user. See further in the IOC list (.doc , .xls)?
WMIC and PSEXEC
Rumours are that Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers. You are advised to disable WMIC (or block it to IT admin networks only) https://msdn.microsoft.com/en-us/library/aa826517(v=vs.85).aspx. It dumps passwords and then uses PSEXEC and WMIC to move laterally.
Also see
According to Securelist, spreading can only happen on an infected system on the network possessing administrative credentials.
I applied MS17-010. I'm safe! - CVE-2017-0199
Some posts report that the ransomware is also using a client side vulnerability (CVE-2017-0199). Info on CVE-2017-0199 is available at https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/. A patch was made available in April-17 by Microsoft : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199. and https://support.microsoft.com/en-hk/help/3141538/description-of-the-security-update-for-office-2010-april-11-2017.
For CVE-2017-0199 : Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.
Infection via CVE-2017-0199 is unconfirmed. It might be that one of the host sharing a sample was already infected with Loki ransomware.
Bitcoin address
Petya makes use of a Bitcoin address. You can monitor the number of payments via https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. Do not pay the ransom!
Killswitch
A number of posts report on a kill switch (UNCONFIRMED)
Placing a file c:windowsmyguy or c:windowsperfc
Advice
- Patch MS17-010 and CVE-2017-0199 (latter UNCONFIRMED if it applies to NotPetya)
- Disable WMIC, or at least limit it from IT-admin networks only
- Disable the exection of files named perfc.dat (according to Kaspersky)
- Apply the killswitches (UNCONFIRMED)
- Monitor (or block) office documents
- Block and monitor the IPs listed in the IOC list
- If you are infected, do not reboot! The encryption happens on power-up ; Fix suggest by @MrAdz350 : If you can boot to a Windows ISO prior to Frist reboot you can use bootrec tool to prevent MBR overwriting as per https://neosmart.net/wiki/fix-mbr
Indicators of compromise
These IOCs have been made available via https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 and https://gist.githubusercontent.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759/raw/a5811d9371a3c07033d5c0fd23976d05cf86c8d8/Petya_ransomware.txt
Analysis
Samples are at
9-Jun-2017 : SambaCry is coming
Articles from Kaspersky and Cyphort on a crypto-miner targeting Linux hosts running vulnerable Samba servers. Patch Samba (4.6.4/4.5.10/4.4.14). Use your logs to observe exploitation attempts (write attempts for file consisting of 8 random symbols).
23-May-2017 : According to Costin Raiu, WannaCry itself did not support Windows XP
Individual machines could be infected - researchers and testers who put WannaCry on Windows XP systems likely ran it manually - but the worm-like attack code would not spread from an XP PC
22-May-2017 : WannaCry: Ransomware attacks show strong links to Lazarus group
According to Symantec : https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
- After the first WannaCry in February : three pieces of malware linked to Lazarus were discovered on the victim's network;
- Malware used to spread WannaCry in March & April is a modified version of malware linked to Lazarus;
- Reuse of IP addresses for command and control, linked to Lazarus;
- Similar code obfuscation techniques and shared code.
OTX has another set of IOCs.
19-May-2017 : Updated Incident Response section - Decryption
Decryption possible for Windows XP to 7, including Windows 2003
19-May-2017 : WannaCry Exploit Now Being Used to Spread Spy Trojan
According to cyphort the vulnerability used by WannaCry (ETERNALBLUE) is now also used to spread a trojan.
17-May-2017 : Adylkuzz mining malware
Proofpoint published information on a cryptocurrency mining malware also making use of ETERNALBLUE/DOUBLEPULSAR. This malware predates (possible as early as 24-Apr) WannaCry.
16-May-2017 : OH LORDY! Comey Wanna Cry Edition
Shadow Brokers issued a statement. ETERNALBLUE was part of the exploit leading to WannaCry.
16-May-2017 : Jaff Ransomware is not WannaCry
Some researchers confuse the Jaff ransomware with WannaCry. Jaff is more a 'traditional' style ransomware, explained in detail by Talos http://blog.talosintelligence.com/2017/05/jaff-ransomware.html. It's not the same as WannaCry.
16-May-2017 : Added Attribution section
16-May-2017 : Update mutex creation : TearSt0pper
15-May-2017 : Uiwix, WannaCry strain
Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used.
15-May-2017 : Another variant
Detected by VirusTotal b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06
- www.ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf.com
15-May-2017 : Updated SMBv1 section
15-May-2017 : Updated anti-virus section
15-May-2017 : NMAP NSE script to detect vulnerable servers
14-May-2017 : Two new new variants
Two new variants were found. See https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
- One variant with a different kill switch ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [.] com
- One variant without a kill switch; it drops a corrupted file but the spreading still works
- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- www.ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf.com
- ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf.com
Do not rely on these kill switches as single line of defense. The behavior of the malware can easily be changed so that these kill switches are no longer relevant! Also, Wannacry is not proxy aware. If you are in a proxied environment they will not help unless you setup an RPZ.
- PATCH!
- PATCH!
- Disable SMBv1
- Network filtering (also internal)
- Review backup procedures
Patch
The patch is out since March 2017. Your patch management process should apply patches rated as critical in a timely manner. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Microsoft also provided mitigation measures for unsupported systems.
Windows 10 and Windows Server 2016 are protected in their default configuration.
Why 'Just Patch It!' Isn't as Easy as You Think
An article posted on the Trend Micro blog why Why 'Just Patch It!' Isn't as Easy as You Think.
Disable SMBv1
Disable SMBv1. This is described in a Microsoft document : https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
For example on Windows 8 you can do this in PowerShell
- First get Admin Start-Process powershell -Verb runAs
- Disable SMBv1 Set-SmbServerConfiguration -EnableSMB1Protocol $false
Blocking legacy protocols is always recommended!
UPDATE According to WannaCry FAQ: What you need to know today : The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection ... disabling SMBv2 can cause problems
Filter tcp/139 (NetBIOS), tcp/445 (SMB) and tcp/3389 (RDP)
All systems exposed to the Internet should filter NetBIOS, SMB and RDP.
Do not assume that a corporate firewall is enough. Systems connecting through a VPN might be exposed to the Internet prior to starting the VPN. Also do not forget systems that are dual-homed. If one system is infected, introducing it later on the network is enough.
Internal network filtering
Use local host firewalling on all you systems. Not every system needs to have SMB and RDP available on the network!
Apply network segmentation.
If you run CIFS (a variant of SMB) you are also targeted.
So far for RDP it looks like it's used as an initial attack vector via brute-force (guessing weak credentials). Once access gained via RDP, Wannacry is deployed and can spread automatically.
Disconnect your backups and test your restore procedures
Do not forget that backup servers can be a target also. Make sure the backup retention period is enough.
Backups must be off-line (detached from network connectivity or system connectivity).
Use a dedicated backup solution that is not using SMB!
Do not block the kill switch domains
No you should not. When the malware is capable of reaching the kill-switch domain it will not further spread the malware. When you block this domain, it will continue spreading both internal and external and start encrypting your files.
Log network, system and service events so that you know what is going on
Centrally log the events of your servers and workstations so that you know what is going on. Combine this information with network events.
Use threat intelligence data / alerts on these events.
Setup internal WannaCry sinkhole website
The Wannacry ransomware is not proxy aware. This means that organizations that use a corporate proxy will not benefit from the kill switch. See https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/
The solution is to add the kill switch domains to an internal RPZ zone and redirect requests to an internal sinkhol. Note that the ransomware does expect an HTTP reply.
Scan and filter all mails with executable content
Note: no sample of the phishing e-mail that delivered the ransomware has been found (so far). Not sure about initial attack (maybe infected USB introduced on network?).
Disable macro scripts from Microsoft Office files transmitted via e-mail.
Good security practice.
Inform your employees
Repeat awareness campaigns!
Update your anti virus definitions
Update your anti virus definitions to prevent further infections. Anti virus definitions need time to include the new variants : do not rely on your anti virus / anti malware solution as the single line of defense.
UPDATE : It is important to note that anti-virus can potentially stop such attacks, even before researchers have seen a sample, ref. Modern Security Software not powerless against threats wannacry.
Create mutex that is used by WannaCry to prevent further inspection
A script has been developed by CCN that prevents the ransomware from starting to encrypt your files. It does this by creating the mutexes for which the ransomware checks. Note that the script needs to be run at every reboot. : https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND. Also see : https://twitter.com/EC3Europol/status/863492271911645184
Afterwards, yo can check for the presence of the mutex with : handle -a | findstr MsWinZonesCacheCounterMutex. The Handle command can be downloaded from Sysinternals : https://download.sysinternals.com/files/Handle.zip
Further info on the mutexes is available at https://blog.didierstevens.com/2017/05/14/quickpost-wannacrys-mutex-is-mswinzonescachecountermutexa0-digit-zero-at-the-end/ and here https://twitter.com/craiu/status/863720216714518528.
There is an alternative tool (not tested) that accomplishes the same : https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip
UPDATE Another tool to create the mutexes, TearSt0pper.
Subscribe to threat intelligence feeds / community work
Subscribe to a threat intelligence feed to get early indicators and detection. See MISP platform
NSE Script to detect ms17-010
An NSE script for NMAP to detect the MS17-010 was published http://seclists.org/nmap-dev/2017/q2/79
16-May-2017 : Jaff Ransomware is not WannaCry
Some researchers confuse the Jaff ransomware with WannaCry. Jaff is more a 'traditional' style ransomware, explained in detail by Talos http://blog.talosintelligence.com/2017/05/jaff-ransomware.html. It's not the same as WannaCry.
16-May-2017 : Added Attribution section
16-May-2017 : Update mutex creation : TearSt0pper
15-May-2017 : Uiwix, WannaCry strain
Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used.
15-May-2017 : Another variant
Detected by VirusTotal b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06
- www.ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf.com
15-May-2017 : Updated SMBv1 section
15-May-2017 : Updated anti-virus section
15-May-2017 : NMAP NSE script to detect vulnerable servers
14-May-2017 : Two new new variants
Two new variants were found. See https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
- One variant with a different kill switch ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [.] com
- One variant without a kill switch; it drops a corrupted file but the spreading still works
- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- www.ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf.com
- ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf.com
Do not rely on these kill switches as single line of defense. The behavior of the malware can easily be changed so that these kill switches are no longer relevant! Also, Wannacry is not proxy aware. If you are in a proxied environment they will not help unless you setup an RPZ.
- PATCH!
- PATCH!
- Disable SMBv1
- Network filtering (also internal)
- Review backup procedures
Patch
The patch is out since March 2017. Your patch management process should apply patches rated as critical in a timely manner. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Microsoft also provided mitigation measures for unsupported systems.
Windows 10 and Windows Server 2016 are protected in their default configuration.
Why 'Just Patch It!' Isn't as Easy as You Think
An article posted on the Trend Micro blog why Why 'Just Patch It!' Isn't as Easy as You Think.
Disable SMBv1
Disable SMBv1. This is described in a Microsoft document : https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
For example on Windows 8 you can do this in PowerShell
- First get Admin Start-Process powershell -Verb runAs
- Disable SMBv1 Set-SmbServerConfiguration -EnableSMB1Protocol $false
Blocking legacy protocols is always recommended!
UPDATE According to WannaCry FAQ: What you need to know today : The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection ... disabling SMBv2 can cause problems
Filter tcp/139 (NetBIOS), tcp/445 (SMB) and tcp/3389 (RDP)
All systems exposed to the Internet should filter NetBIOS, SMB and RDP.
Do not assume that a corporate firewall is enough. Systems connecting through a VPN might be exposed to the Internet prior to starting the VPN. Also do not forget systems that are dual-homed. If one system is infected, introducing it later on the network is enough.
Internal network filtering
Use local host firewalling on all you systems. Not every system needs to have SMB and RDP available on the network!
Apply network segmentation.
If you run CIFS (a variant of SMB) you are also targeted.
So far for RDP it looks like it's used as an initial attack vector via brute-force (guessing weak credentials). Once access gained via RDP, Wannacry is deployed and can spread automatically.
Disconnect your backups and test your restore procedures
Do not forget that backup servers can be a target also. Make sure the backup retention period is enough.
Backups must be off-line (detached from network connectivity or system connectivity).
Use a dedicated backup solution that is not using SMB!
Do not block the kill switch domains
No you should not. When the malware is capable of reaching the kill-switch domain it will not further spread the malware. When you block this domain, it will continue spreading both internal and external and start encrypting your files.
Log network, system and service events so that you know what is going on
Centrally log the events of your servers and workstations so that you know what is going on. Combine this information with network events.
Use threat intelligence data / alerts on these events.
Setup internal WannaCry sinkhole website
The Wannacry ransomware is not proxy aware. This means that organizations that use a corporate proxy will not benefit from the kill switch. See https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/
The solution is to add the kill switch domains to an internal RPZ zone and redirect requests to an internal sinkhol. Note that the ransomware does expect an HTTP reply.
Scan and filter all mails with executable content
Note: no sample of the phishing e-mail that delivered the ransomware has been found (so far). Not sure about initial attack (maybe infected USB introduced on network?).
Disable macro scripts from Microsoft Office files transmitted via e-mail.
Good security practice.
Inform your employees
Repeat awareness campaigns!
Update your anti virus definitions
Update your anti virus definitions to prevent further infections. Anti virus definitions need time to include the new variants : do not rely on your anti virus / anti malware solution as the single line of defense.
UPDATE : It is important to note that anti-virus can potentially stop such attacks, even before researchers have seen a sample, ref. Modern Security Software not powerless against threats wannacry.
Create mutex that is used by WannaCry to prevent further inspection
A script has been developed by CCN that prevents the ransomware from starting to encrypt your files. It does this by creating the mutexes for which the ransomware checks. Note that the script needs to be run at every reboot. : https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND. Also see : https://twitter.com/EC3Europol/status/863492271911645184
Afterwards, yo can check for the presence of the mutex with : handle -a | findstr MsWinZonesCacheCounterMutex. The Handle command can be downloaded from Sysinternals : https://download.sysinternals.com/files/Handle.zip
Further info on the mutexes is available at https://blog.didierstevens.com/2017/05/14/quickpost-wannacrys-mutex-is-mswinzonescachecountermutexa0-digit-zero-at-the-end/ and here https://twitter.com/craiu/status/863720216714518528.
There is an alternative tool (not tested) that accomplishes the same : https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip
UPDATE Another tool to create the mutexes, TearSt0pper.
Subscribe to threat intelligence feeds / community work
Subscribe to a threat intelligence feed to get early indicators and detection. See MISP platform
NSE Script to detect ms17-010
An NSE script for NMAP to detect the MS17-010 was published http://seclists.org/nmap-dev/2017/q2/79
Ransomware
A massive wave of ransomware that has all the characteristics of a worm. It utilises an exploit called ETERNALBLUE as well as leveraging a persistent backdoor known as DOUBLEPULSAR (both were part of the Shadow Brokers leak of NSA tools). ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol. Exploiting this vulnerability allows an attacker to execute code on the vulnerable host.
Microsoft patched this vulnerablity in March, via MS17-010. Microsoft also released a patch for systems that were no longer under support.
The malware is persistent, meaning it will survive a system reboot!
Infection methods
Although there are claims that the infection happened via phishing e-mail, no sample of such a mail has been analyzed.
Unplug the infected machine from the network
Segment and isolate networks that have infected machines.
Limit SMB connections
Limiting SMB connections will hugely affect your users because they will not be able to access the file servers. There's no need for your workstations for not filtering incoming SMB connections. This will prevent further spreading.
Look for other signs of infection
- Monitor the increase of SMB connections in your network to locate other sources of infection. You can use netflow or firewall logs to do this.
- Monitor your proxy logs (setup alerting) if you spot connections toward the kill switch or the .onion domains
Do not pay the ransom
Restore backups
Inform your local / national CERT
For Belgium : [email protected]
Recovery encrypted files
There may be a possibility to recover the encryption (and hence recover the encrypted files) on Windows XP, if it was not rebooted after infection.
According to WannaCry- Decrypting files with WanaKiwi + Demos the decryption works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2.
In order to decrypt the files it is important that
- You did not reboot the machine
- the memory that contained the prime numbers has not been reused
Do not delete the encrypted files yet, it might be possible that a decryption key may become available at some point in the future. There are however no guarantees that this will be possible.
Lazarus group
According to Kaspersky Lab there is strong evidence linking the WannaCry ransomware code to North Korea. There is a code overlap between Wannacry and a sample attributed to Lazarus in 2015. Note that the Lazarus group is believed to be responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation. ... 'a theory a false flag although possible, is improbable.'
Manually linking payments with encryption
Wannacry uses only four individual bitcoin addresses. There is no automatic identification between a payment and an encryption, meaning that the validation has to be a manual process. Most ransomware automates this process to provide a better 'service' to their victims. Also see the article of Wired.
- CIRCL info : https://circl.lu/pub/tr-41/
- SANS info : https://www.renditioninfosec.com/2017/05/wanacrypt0r-malware-webcast-and-slides/
- Microsoft info : https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- US CERT info : https://www.us-cert.gov/ncas/alerts/TA17-132A
A live map can be found here : https://intel.malwaretech.com/WannaCrypt.html
Create a mutex (manually) ; PS :: $mtx = New-Object System.Threading.Mutex($false, 'TestMutex')
Maintained by cudeso
Skip to main contentWelcome to WIRED UK. This site uses cookies to improve your experience and deliver personalised advertising. You can opt out at any time or find out more by reading our cookie policy.
Main Content
Two security companies, Kaspersky Lab and BitSight, have said their analysis of the malware shows that the majority of devices hit were actually running Windows 7. More than 97 per cent of the infected machines globally were running a version of the 7 operating system, Kaspersky Lab said.
Costin Raiu, the director of global research and analysis at Kaspersky, said the number of machines running Windows XP was 'insignificant' and Windows 7 x64 was the most infected version of the operating system.
Raiu told ArsTechnica UK that the infected Windows XP machines were likely manually infected by their owners for testing purposes.
Wanna Cry Doublepulsar Windows 7 Torrent
The figures from Kaspersky are based on the machines its own software runs on, however, the claim that Windows 7 was the most infected operating has been corroborated by security firm BitSight. The US-based firm told Reuters that it had analysed 160,000 computer and found that 67 per cent of infected machines were running Windows 7.
In order to see this embed, you must give consent to Social Media cookies. Open my cookie preferences.
The ransomware, which demands a $300 Bitcoin payment, was first seen spreading around the internet in the middle of May and infected hundreds of thousands of machines around the world. The NHS was one of the largest organisations to be hit, with at least 40 hospitals in 24 NHS trusts impacted.
Before the analysis had taken place, the spread of the WannaCry ransomware was largely blamed upon computers running on Windows XP. Microsoft even went as far as to release a rare patch for Windows XP. Both operating systems are vastly outdated: Windows 7 was first released in 2009, while XP was released in 2001 and within the UK, the government stopped paying for additional security support in 2015.
Wanna Cry Doublepulsar Windows 7 64-bit
Subsequent inspection of the WannCry ransomware by Malwarebytes said it had spread through a worm, rather than the phishing emails, as was originally expected.
'Our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports,' Malwarebytes wrote. '[It] then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware'.
Wanna Cry Doublepulsar Windows 7 Iso
