Threat Alert: WannaCry Ransomware Leverages a New Microsoft Vulnerability

If your Windows machines aren’t patched with the latest Microsoft updates, watch out for WannaCry Ransomware. This newer ransomware strain has taken the cyber world by storm in the past 48 hours.

Europol estimates over 200,000 machines in hospitals, universities, manufacturers, and governmental agencies in the UK, Russia, and China were hit with WannaCry ransomware. It’s expected to hop-scotch across the pond and wreak havoc in the U.S. as well.

The WannaCry attack is being touted as the worst ransomware outbreak ever. Organizations publicly impacted by WannaCry over the weekend include Britain’s national public health service, telecommunications company Telefonica, FedEx, and Russian government servers.

WannaCry Ransomware

WannaCry is a ransomware strain that surfaced about two weeks ago. It performs the typical ransomware functions of encrypting data files and holding them hostage until the victim pays a $300 ransom demand in Bitcoin. Apparently, once a machine is infected, the victim has six hours to pay before the ransom starts to increase.

Here is what the ransom screen looks like when a victim is hit with WannaCry:

Encrypted files will have ‘.WNCRY’ extension. Here’s an example of the ransom note in a text file presented to victims:

Security firm Avast, among other security experts, attribute the quick rise of WannaCry to an identified and patched vulnerability in the Microsoft’s Server Message Block (SMB) – ‘EternalBlue’ or MS17-010. SMB is a service Windows computers use for file-sharing and accessing printers across local networks.

Exploits against the SMB protocol are a nightmare for organizations because the file-sharing functionality allows the ransomware to infect any vulnerable machines connected to the network.

Microsoft issued a patch for this vulnerability in its monthly Patch Tuesday updates in March. You can find that security update and patch for Windows here.

Technical Analysis

US-CERT released the following technical details after analyzing the WannaCry ransomware:

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.

The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.

This malware is designed  to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

Decryptor Tool

In the past few days since the dust settled around the WannaCry attack, security researchers have released tools to help victims recover their files.

The decrypting tool to try is called WanaKiwi. Security expert Matt Suiche tested the tools and provides good guidance in his blog write up. Apparently, the tool will work for every version of Windows from XP to 7, including Windows 2003, Vista, 2008, and 2008 R2.

Suiche’s immediate advice to WannaCry victims: “DO NOT REBOOT your infected machines and TRY WanaKiwi ASAP!”

Suiche outlined the process with 3 simple steps:

  • Download WanaKiwi
  • WanaKiwi.exe will automatically look for the encrypted files
  • Cross your fingers the encryption keys are still in the computer’s memory and the tool works!

Attack Update

WannaCry is affecting organizations across all industries. It spread like the plague because of its worm-like features.

Fortunately, a British security researcher dubbed “MalwareTech” slowed the attack over the weekend (full write-up here). MalwareTech registered a domain used by the ransomware to check and verify it was installed on a legitimate machine. If the ransomware didn’t find the domain, it executed.

From MalwareTech:

“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis… because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and further ransoming of computers infected with this malware.”

In effect, registering the domain caused all new infections of WannaCry to think they were running in an anti-virus environment and simply quit.

MalwareTech notes the sinkholing tactic only prevents this specific ransomware strain. The ransomware group can remove the domain check and restart the attack. But for now, kudos to MalwareTech for halting the global infection.

Microsoft Guidance

Due to the Windows exploits leveraged in the WannaCry attacks, Microsoft issued a customer guidance highlighting the updates available.

Windows Defender received an update to detect the WannaCry threat as Ransom:Win32/WannaCrypt.

Microsoft did something rare and issued a security update for all customers to protect Windows machines no longer receiving mainstream support. This includes Windows XP, Windows 8, and Windows Server 2003.

Update links:

What to Do Now?

To prevent WannaCry ransomware from locking your computers and servers, apply the Microsoft patch released in March to all systems. Again, you can find that information in this security update.

Unfortunately, it won’t help machines that are already infected. In the event your machines have been hit, removing the malware and restoring from backups is the best option.

US-CERT provided steps to prevent WannaCry and related ransomware attacks:

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users
  • Authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares
  • Test your backups to ensure they work correctly upon use
Print Friendly, PDF & Email