WannaCry FAQ

What Happened?

  • On Friday May 12th 2017, several organisations were affected by a new Ransomware strain.
  • The Ransomware was very successful in part because it used a SMB vulnerability to spread inside networks.
  • The vulnerability was patched by Microsoft in March for supported versions of Windows.
  • The exploit, known under the name ETERNALBLUE, was released in April as part of a leak of NSA tools.
  • Variants have been seen spreading Saturday/Sunday.

How many infections?

  • Several large organisations world wide are known to be affected.
  • No obvious targeting. The organisations are from various countries and appear not to be related.
  • While large enterprises made the news, small business users and home users may be affected as well.
  • Estimated > 200,000 victims according to various anti virus vendors

How do systems get infected?

  • E-Mail: Some organisations suggest that the initial infection originated from e-mail attachments, but little is known about the e-mails. It is easily possible that other malware was confused with WannaCry.
  • SMB: Affected organisations may have had vulnerable systems exposed via port 445.
  • Up to now, affected organisations have not shared a lot of proof to show how the initial infection happened.

What happens to the victim?

  • Files with specific extensions will be encrypted.
  • The victim will see a ransom message asking for approx. $300. Ransomware demands will increase to $600 after 3 days. After 7 days, the files may not longer be recoverable.
  • The ransomware will also install a backdoor to access the system remotely via port 445 (Double Pulsar, also part of the NSA tool set).

How to Prevent Infection: Patch

  • Newer Windows Versions (Windows Vista, 7-10, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March.
  • Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday.
  • Confirm that patch is installed

Other Mitigating Controls

  • Segment Network
  • Prevent internal spreading via port 445 and RDP.
  • Block Port 445 at perimeter.
  • Disable SMBv1
  • Implement internal “kill switch” domains / do not block them
  • Set registry key.
  • At least one additional variant of the malware was seen this weekend. It uses a different “kill switch”.

Detect Affected Systems

  • Systems that are infected by WannaCry will try to connect to a specific domain.
  • Encrypted files will have the “wncry” extension.
  • Systems will scan internally for port 445.
  • Ransom message will be displayed.
  • In addition, infected systems will reach out to sites for crypto keys.
  • Anti-Malware has signatures now for WannaCry.

Ransom Note

Cleaning Up Infected Systems

  • Anti-Malware vendors are offering removal tools – ok for personal use.
  • Removal tools with remove malware, but will not recover encrypted files. Make a copy in case a decryptor becomes available.
  • WannaCry will install a backdoor that could be used to compromise the system further – for UO owned devices, wipe and reinstall.
  • Note that not all files with the .wncry extension are encrypted. Some may still be readable.

Kill Switch

  • The malware will not run if it can access a specific website.
  • This web site has been registered to stop the spread of malware.
  • But proxies may prevent connections. An internal website may be more reliable and allows detecting infections.
  • A registry entry was found that will prevent infection as well, and a tool was released to set the entry.
  • Future versions will likely remove these kill switches or change the name of the registry entry.

Will Paying the Ransom Help Us?

  • There is no public report from victims who paid the ransom.
  • About a hundred victims paid so far.
  • The unlock code is transmitted in a manual process that requires the victim to contact the person behind the ransomware to transmit an unlock code.
  • Due to the law enforcement and public attention, it is possible that the individual(s) behind this malware will disappear and not release unlock codes in the future.

Attribution

 
 
 

Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.