Within the last couple of hours the world has tasted the flavour of an enormous ransomware attack (and it’s still ongoing). It appears to be NSA’s ETERNALBLUE exploit is the primary culprit which has originally been devised to leverage Microsoft Windows SMB vulnerability (addressed in MS17-10). The creators of WannaCry have integrated this critical exploit into its worm module (initial dropper), thus taking advantage of the vulnerable instance of SMB protocol to propagate. Further, the ransomware also observed in making use of NSA’s DOUBLEPULSAR backdoor.
About WannaCry
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: Between $300 to $600.
- Backdoor: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor.
Affected Products
- All Windows versions before Windows 10 are vulnerable if not patched for MS17-010.
- Windows XP and Windows Vista users are completely vulnerable as both these operating systems no longer receives updates and security patches.
- Refer the listed CVEs in IOCs - WANNACRY RANSOMWARE.xlsx
File types
- The file types it looks for to encrypt are:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb,
How does it impact me?
Once the initial worm module introduced to a system it creates two threads. The first thread scans hosts on the LAN. Whereas, the second thread gets created 128 times and scans hosts on the wider Internet. The LAN-based scanning happened using the port 445 and attempts to exploit the discovered systems using MS17-010/ETERNALBLUE. On the other hand, the second thread scan the Internet by generating random IP addresses. If connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and ifport 445 is found open, exploit attempts are made.
Therefore, if the target network has the vulnerability unpatched, then there is a high chance that it will get affected.
How can this be prevented?
It was really surprising to see that even after a month of disclosure of such critical exploits/vulnerabilities, so many systems were noted unpatched. Nonetheless, to protect from this ongoing mass exploit and propagation one can do the following:
1. Install all available OS updates including to prevent getting exploited
2. Manually disabling SMBv1 via modifications made to Windows Registry. The required steps are as follows:
- Navigate to: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters
- Look for Value: SMB1
- Modify Data: REG_DWORD: 0 = Disabled
3. Restrict inbound traffic to open SMB ports (ports 139, 445) which are publicly accessible / open to Internet.
4. Block the IPs, Domains, Hash values that are involved in spreading this malware. Please refer the attachment – IOCs - WANNACRY RANSOMWARE.xlsx for details.
5. Implement endpoint security solutions. The ‘AV Signature Name’ section under IOCs - WANNACRY RANSOMWARE.xlsx can be referred.
6. Keep an offline backup of critical data on desktops and servers.
7. Organisations should block connections to TOR nodes and TOR traffic on network (IOCs - WANNACRY RANSOMWARE.xlsx).
Paladion SOC's take on this?
Paladion SOC has updated the hash values, domains and IP addresses in the SOC monitoring tool. Respective stake holders will be notified if any traffic related to this get noticed.
Outgoing, incoming and email traffic for the last seven days have been probed against the enclosed indicators. No positive matches noted.
What action should the Bank/User/Customer take?
Install all critical patches.
Review any traffic towards ports 139, 445. Block if not required.
It is highly recommended that the provided list of threat indicators (IOCs - WANNACRY RANSOMWARE.xlsx) should be blocked at perimeter devices such as firewall, proxy etc. and Email Security Gateway immediately. However, kindly note:
You shall act upon this advisory/IOC-list at your own discretion after conducting risk analysis in your specific environment.
The advisory/IOC-list is time sensitive in nature and may be overridden in subsequent updates from our side as new information is received on the threats.