The WannaCry Alert - Stopping a Global Cyber Attacks

16 May 2017

Revised-Edited by Bachir El Nakib, Senior Consultant, Compliance Alert (LLC) 

Criminal hacking groups have repurposed a second classified cyber weapon stolen from US spies and have made it available on the so-called dark web after the success of the WannaCry attack that swept across the globe on Friday.

The hacking tool, developed by the US National Security Agency and codenamed EsteemAudit, has been adapted and is now available for criminal use, according to security analysts.

Click here to read more

Ransomware in its current form -- most notably WannaCry/WannaCrypt -- is a Windows-specific form of malware. It's designed to target the Windows operating system and the files contained therein, so it's not a threat to mobile OSes like Android and iOS. That said, you should always exercise the same cautions when it comes to suspicious links in emails and on websites: When in doubt, don't tap.

If you're using a cloud-backup tool like Carbonite, you may be able to recover all your WannaCry-encrypted files by accessing earlier versions of them. And cloud-storage service Dropbox keeps snapshots of all changes made to files in the past 30 days. This is a very good time to investigate whether your online backup or storage provider does indeed keep rollback versions of your files, just so you know whether you have an option other than paying the ransom!

What does WannaCry do?

The ransomware encrypts most of the user files on a Windows PC with virtually unbreakable encryption. A message is posted on the computer's screen informing the user that he must pay a ransom — usually about $300 — in the online cryptocurrency Bitcoin. Two countdown clocks on the screen tell the user how much time remains before the ransom is doubled (usually 3 days), and how much time remains before the encrypted files are deleted altogether (usually a week).

However, Windows PCs running Windows Vista, Windows 7, Windows 8.1 and Windows 10 that have installed Microsoft's system updates since March should be immune to WannaCry infection, at least for now. Late Friday, Microsoft took the extraordinary step of releasing patches against WannaCry for Windows XP and Windows 8, neither of which are still supported.

WannaCry does not infect computers running macOS/Mac OS X or Linux. However, it can infect computers that are running Windows in emulation software or virtual machines, and Macs that can boot into Windows.

MORE: Best Antivirus - Top Software for PC, Mac and Android

Where did WannaCry come from?

We don't yet know. This is actually the second variant of the WannaCry malware. The first appeared a few months ago and spread via phishing emails, which require the recipient of the email to open an attachment before the malware can try to infect a computer. 

This new version spreads much faster. It incorporates ETERNALBLUE, a software exploit (a method of punching through a piece of software's security) that was developed years ago by the U.S. National Security Agency (NSA). In April, a group called the ShadowBrokers posted the source code for ETERNALBLUE and several other NSA tools online for anyone to see and use.

On Friday, a hacktivist group called SpamTech claimed responsibility for the attack, but without offering proof. For now, that claim is not being taken seriously.

UPDATE: Slight but significant clues have established a possible North Korean link to WannaCry.

Google researcher Neel Mehta cryptically tweeted out two file signatures Monday. One was for WannaCry; the other was for Contopee, malware used in an an attack in February 2016 on the central bank of Bangladesh that netted $81 million for the attackers. 

Matthieu Suiche, a French security researcher based in Dubai, followed Mehta's lead and quickly showed striking similarities between Contopee and an early variant of WannaCry, found in February 2017, that did not use the ETERNALBLUE exploit. Russian antivirus firm Kaspersky Lab also noted the similarities.

Crucially, Contopee has been tied to the Lazarus Group, the attackers who nearly destroyed the computer systems of Sony Pictures Entertainment in the September 2014. And most security researchers, as well as the U.S. government, have blamed North Korea for that attack.

Kaspersky admits that the similarities may be part of a "false flag" attack aimed at pinning blame on North Korea. Claudio Guarnieri, an Italian security researcher based in Berlin, admits that there are similarities between the two strains of malware, but also that "this type of code is widely available and the basis might be reused or acquired."

How does WannaCry work?

Once inside a business or organization's network, WannaCry uses the ETERNALBLUE exploit to leverage a flaw in Microsoft's Server Message Block (SMB) protocol. It will spread to any connected Windows PC that has not been updated to guard against ETERNALBLUE. Once it lands on a vulnerable system, it encrypts office, image, movie, database and email files, and demands a ransom of at least $300.

RansomWare like WannaCry works by encrypting most or even all of the files on a user’s computer. Then, the software demands that a ransom be paid in order to have the files decrypted. In the case of WannaCry specifically, the software demands that the victim pays a ransom of $300 in bitcoins at the time of infection. If the user doesn’t pay the ransom without three days, the amount doubles to $600. After seven days without payment, WannaCry will delete all of the encrypted files and all data will be lost.

Per Symantec, here is a full list of the filetypes that are targeted and encrypted by WannaCry:

  • .123
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .ARC
  • .PAQ
  • .accdb
  • .aes
  • .ai
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .backup
  • .bak
  • .bat
  • .bmp
  • .brd
  • .bz2
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .csv
  • .db
  • .dbf
  • .dch
  • .der
  • .dif
  • .dip
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwg
  • .edb
  • .eml
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .hwp
  • .ibd
  • .iso
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .msg
  • .myd
  • .myi
  • .nef
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .ost
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps1
  • .psd
  • .pst
  • .rar
  • .raw
  • .rb
  • .rtf
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sln
  • .snt
  • .sql
  • .sqlite3
  • .sqlitedb
  • .stc
  • .std
  • .sti
  • .stw
  • .suo
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vcd
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .vsd
  • .vsdx
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .zip

As you can see, the ransomware covers nearly any important file type a user might have on his or her computer. It also installs a text file on the user’s desktop with the following ransom note:

 

The attack exploits a vulnerability in older Windows operating systems, namely:

  • Windows 8
  • Windows XP
  • Windows Server 2003

If you're using a more recent version of Windows -- and you've stayed up up-to-date on your system updates -- you should not be vulnerable to the current iteration of the WannaCry ransomware:

Windows 10

  • Windows 8.1
  • Windows 7
  • Windows Vista
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

But the reverse applies, too: If you haven't been keeping those newer versions of Windows updated, you'll be just as vulnerable until and unless you do.

If you're using MacOS, ChromeOS or Linux -- or mobile operating systems like iOS and Android -- you don't have to worry about this particular threat.

If you're using one of the newer versions of Windows listed above (10/8.1/7, etc.) and you've kept your PC up-to-date with automatic updates, you should've received the fix back in March.

In the wake of WannaCry, Microsoft issued rare patches on the older versions of Windows it no longer formally supports to protect against this malware. Here's where you can download these security updates:

Windows 8 x86

Windows 8 x64

Windows XP SP2 x64

Windows XP SP3 x86

Windows XP Embedded SP3 x86

Windows Server 2003 SP2 x64

Windows Server 2003 SP2 x86

The full download page for all Windows versions is available here.

Turn Windows Update on if it's disabled

It's not uncommon for people to disable Microsoft's automatic updates, especially because earlier iterations had a tendency to auto-install even if you were in the middle of work. Microsoft has largely fixed that issue with the current version of Windows 10 (the recent Creators Update). If you have disabled automatic updates,, head back into Control Panel in Windows, turn them back on and leave them on.

Install a dedicated ransomware blocker

Don't assume that your current antivirus utility -- if you're using one at all -- offers protection against ransomware, especially if it's an outdated version. Many of the big suites didn't add ransomware blocking until recently.

Not sure if you're protected? Dive into your utility's settings and see if there's any mention of ransomware. Or, do some web searching for the specific version of your product and see if it's listed among the features.

If it's not, or you're pretty sure you don't have any kind of safeguard beyond your patched version of Windows, install a dedicated anti-ransomware utility. Two free options: Cybereason Ransomfree and Malwarebytes Anti-Ransomware (currently in beta).

Block port 445 for extra safety

MalwareTech, whose security analyst on Friday briefly slowed the worldwide attack of the WannaCry ransomware posted to Twitter that blocking TCP port 445 could help with the vulnerability if you haven't patched your OS yet.

Sources:

http://bgr.com/2017/05/15/wanna-cry-ransomware-virus-windows-wannacry-explainer/

https://www.cnet.com/how-to/wannacry-ransomware-how-to-protect-your-pc/