Latest information on WannaCrypt Ransomware (and How to Protect Against It)

Version 44

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    WannaCrypt (also known as WanaDecrypt0r 2.0, WanaCry or Wcry) is an encryption-based ransomware attack, that started spreading globally on May 12th.

    The malware encrypts files on affected systems using AES and RSA encryption ciphers, meaning hackers can decrypt system files using a unique decryption key.

    WannaCrypt changes the computer's wallpaper with messages, asking the victim to download the decryptor from Dropbox and demanding hundreds in bitcoin to get their files back.

     

    Attack vector

     

    WannaCrypt uses multiple attack vectors:

     

    • The primary attack vector is distribution via e-mail. WannaCrypt uses social engineering or phishing techniques, relying on users to open and execute a malicious payload embedded within the e-mail. When opened by the user, the malware will install itself and start encrypting files immediately.
    • WannaCrypt will then try to spread within the network or over the internet, using exploit code for vulnerability CVE-2017-0145, which allows remote attackers to execute arbitrary code via crafted packets to an SMBv1 server, aka "Windows SMB Remote Code Execution Vulnerability". This vulnerability is only present in the SMB v1.0 protocol. Microsoft released a patch in March: Microsoft Security Bulletin MS17-010. For more information about this update, see Microsoft Knowledge Base Article 4013389.
    • All windows versions from Windows XP to Server 2016 are affected; all of these systems have SMBv1 enabled by default.  On May 13th, Microsoft released an emergency security patch for unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

     

    How to protect against WannaCrypt (and other) ransomware?

     

    • Make sure Anti-virus is Up-to-date: The majority of Anti-Virus vendors (including Ivanti Anti-Virus) are now able to detect this malware. Note that this is the primary attack vector of most types of ransomware, but it's not the only one used in the case of WannaCrypt. Variants of this malware are also likely to be discovered and this particular attack uses a vulnerability to spread internally, so anti-virus should only be considered as your primary layer of defense.
    • Keep your system Up-to-date: If you are using older, but supported versions of the Windows operating system, then keep your system up to date (If you are using LDMS / LDSS or Ivanti Endpoint Manager, see the Patch and Compliance landing page).
    • Unsupported versions of Windows (Windows XP, Vista, Windows 8, Server 2003 and 2008): Microsoft released an emergency patch which can be found here.
    • Beware of phishing: never open e-mail attachments from an untrusted sender or click on links within e-mails or documents without checking the source.
    • Regularly backup user data: create copies of all user data at regular times to prevent data loss, should a ransomware attack occur.
    • Enable Windows firewall: limit the spreading of ransomware within the corporate network by correctly configuring firewalls. Block access to SMB ports over the network and/or the Internet. The protocol operates on TCP ports 137, 139 and 445 and over UDP ports 137 and 138.
    • Block legacy protocols such as SMB v1: See the following article on how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Note: Windows XP only supported SMB v1).
    • Audit installed software and keep it up to date: malware often uses flaws in outdated software. Keep all installed software up to date, not only on end nodes but also in the data centre. Patch Manager will also detect vulnerabilities in many third-party software, other than the operating system.

     

    • Ivanti free 90 day offer: When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs.  Register for Ransomware Get Well Quick trial.

     

    Kill switch

     

    A cybersecurity researcher found a kill switch. When a pc gets the WannaCrypt ransomware, it tries to connect to a long domainname, which is hardcoded. Initially, this domainname didn't exist. The researcher found by accident that, by registering the domainname, infected machines stopped spreading the virus. Another variant of the malware has appeared with a different kill switch and there might be more to come.

     

    HOW TO USE:

     

    In order to prevent affected systems from spreading the ransomware, ensure that your systems can resolve the following domains in DNS and connect on TCP port 80 to:

     

    http://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

    http://www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

     

    Note that the virus is not proxy aware so a local DNS record may be required. These hostnames do not need to point to the internet, but can resolve to any accessible webserver within the network (effectively preventing a single point of infection on the network from spreading). IMPORTANT: Please note that new variants of the malware are likely to be discovered, with a different or no kill switch at all.

     

    Indicators of compromise

     

    WannaCrypt creates the following registry keys:

    • HKLM\SOFTWARE\WanaCrypt0r\wd = "<malware working directory>"
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random string> = "<malware working directory>\tasksche.exe"

     

    It will display a ransom message on the desktop wallpaper, by changing the following registry key:

    • HKCU\Control Panel\Desktop\Wallpaper: "<malware working directory>\@WanaDecryptor@.bmp"

     

    Files created in the malware's working directory:

    • %SystemRoot%\mssecsvc.exe
    • %SystemRoot%\tasksche.exe
    • %SystemRoot%\qeriuwjhrf
    • b.wnry
    • c.wnry
    • f.wnry
    • r.wnry
    • s.wnry
    • t.wnry
    • u.wnry
    • taskdl.exe
    • taskse.exe
    • 00000000.eky
    • 00000000.res
    • 00000000.pky
    • @WanaDecryptor@.exe
    • @Please_Read_Me@.txt
    • m.vbs
    • @WanaDecryptor@.exe.lnk
    • @WanaDecryptor@.bmp
    • 274901494632976.bat
    • taskdl.exe
    • Taskse.exe
    • Files with “.wnry” extension
    • Files with “.WNCRY” extension

     

    What if I'm compromised?

     

    Once ransomware has encrypted files, there is not much you can do. Sometimes, ransomware has been badly written and it has been possible - by reverse engineering their code - to find a way to decrypt the data.

    This does not seem to apply to WannaCrypt and we are unaware of a way to recover encrypted data at this time.

     

    One might ask if paying the ransom will really decrypt the files. Sometimes it will, but there is no guarantee.

    When Cryptolocker hit a few years ago, some users reported that they did get their data back after paying the ransom.

     

    Ivanti Product Specific Advice

     

    Ivanti Endpoint Security (formerly LANDESK Security Suite)

    UPDATE: Ivanti has released a Patch and Compliance definition update to detect and remediate this vulnerability for XP and Server 2003.  More information can be found here:
    https://community.ivanti.com/docs/DOC-47847

    • Current definitions in Patch and Compliance referencing MS17-010:

    • The above patches can be added to a custom group in order to provide an overview of the current status. To view additional information, right-click the group and select properties where you can view more information, including charts. Specific charts can also be added to the main Patch Manager dashboard for easy review.
      EternalBlueGroup.png
    • Example query to detect if a KB has been applied (note)

    Patch for Windows Server (formerly Shavlik Protect)

     

    Statement regarding Ivanti's Own Environment

    To date, Ivanti has not detected the WannaCrypt malware in our environment.

    In advance of the threat, we took the following proactive steps to fortify our environment against these types of threats:

    • We verified that our AV is installed, up to date, and active on client devices and servers, both internal and cloud / customer-facing.
    • We verified that appropriate patches from Microsoft and third parties are installed and correctly configured in a timely manner.
    • Where appropriate, we use Application Control for whitelisting, privilege management, and system monitoring.
    • We constantly educate our employees on the risks of phishing, monitoring our incoming emails.
    • We leverage third-party tools to actively monitor email for ransomware and other malicious URLs.
    • We leverage third-party tools to monitor infestation and proliferation of malware in our internal and customer-facing IT environments.

     

    Since this threat emerged, we have taken the following additional steps:

    • We have educated our staff about this particular threat and reinforced the importance of not opening files or clicking on links from unknown sources.
    • We have verified that our network infrastructure does not block access to the kill switch URL.
    • We have audited our environment against all the above measures.

     

    More information: Webinars

     

    Upcoming:

     

    Global Ransomware Attack: Latest Updates with our Security Panel

    May 17, 2017

    8AM PDT | 11AM EDT | 4PM BST | 5PM CET

    The attack continues to morph and grow - even since we finished our live updates on Monday. So, our security experts will host a discussion on the latest vulnerabilities and how to fix them during this LIVE security panel on Wednesday.

    (register)

     

    Recordings:

     

    LIVE Updates on the UK Ransomware Attack

    May 15, 2017

    Chris Goettl: Manager, Product Management, Security, Ivanti  |   Phil Richards: Chief Security Officer, Ivanti

    Simon Townsend: Chief Technologist, Ivanti  |   Matthew Walker: AVP EMEA Product Specialist, Ivanti

     

    Ransomware Update: New Threats, New Defenses

    September 14, 2016

    Stephen Brown, Director of Product Management, Ivanti

     

    Passive Protection Against Ransomware

    June 01, 2016

    Eran Livne, Principal Product Manager, Ivanti

    Ivanti free 90 day offer

    When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs.  Register for Ransomware Get Well Quick trial.

     

    Bookmark this page, we will add updates as they become available.