A new ransomware attack, very recently has caught many organizations and users off guard. The ransomware Wannacry has infected systems across the globe and has been the topic of discussion among security professionals for quite some days now.
The new infections for the moment has been stopped by an accidental hero "MalwareTech" by activating the kill switch found after reverse engineering the malware but security experts believe that a new variant could be launched very soon with no kill switch this time and the only solution to prevent the malware from infecting systems is to patch your vulnerable systems as early as you can.
Some of the Wannacry related facts/ information:
- Infects all Windows versions below Windows 10. No infections detected so far for Mac, IOS and Linux machines
- There are two key components of Wannacrypt malware
- There is a worm component
- There is a ransomware package
- The worm component spreads laterally by exploiting a vulnerability in the implementation of server message block (SMB) in Windows systems.
- The exploit is also known as Eternal blue and DoublePulsar, a leaked NSA exploit
- The ransomware is also seen to spread through malicious email attachments
- The Ransom between $300 to $600 dollars are asked in bitcoins
- The Malware has a kill switch:
- If the following website is up the virus exits instead of infecting the host
- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com (Source: Fireeye Blog)
- www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com ;(Source: Fireeye Blog)
- If the following website is up the virus exits instead of infecting the host
- This domain is already sinkholed, stopping the spread of the worm.
- However, organizations that use proxies will not benefit from the kill switch as Wannacry ransomware is not proxy aware
You know you are compromised if you see something like this on your screen
Indicators of compromise
- Ransomware is writing itself into a random character folder in the 'ProgramData' folder with the file name of "tasksche.exe" or in 'C:\Windows\' folder with the file-name "mssecsvc.exe" and "tasksche.exe".
- Ransomware is granting full access to all files by using the command:
- Icacls . /grant Everyone:F /T /C /Q
- Ransomware using following batch script for operations:
- 176641494574290.bat
- Indicators of compromise from Alienvault OTX
- Indicators of compromise from US-CERT
- Indicators of compromise from CERT- IN
Prevention methods:
- Patch your Windows systems as mentioned in Microsoft Security Bulletin MS17-010 as early as possible. Patches are available since March 2017
- For unsupported versions such as Windows XP, Vista, Server 2003, Server 2008 etc. Microsoft has released patches specific to this ransomware. Patches can be found here:
- Organizations must take backup of their critical data offline
- Disable SMBv1 or block SMB ports on your on Enterprise Edge/perimeter network devices
Comments