Latest information on WannaCrypt Ransomware (and How to Protect Against It)

Version 1

    Details

     

    WannaCrypt (also known as WanaCrypt0r 2.0, WanaCry or Wcry) is an encryption-based ransomware attack, that started spreading globally on May 12th.

    The malware encrypts files on affected systems using AES and RSA encryption ciphers, meaning hackers can decrypt system files using a unique decryption key.

    WannaCrypt changes the computer's wallpaper with messages, asking the victim to download the decryptor from Dropbox and demanding hundreds in bitcoin to get their files back.

     

    Attack vector

     

    WannaCrypt uses multiple attack vectors:

     

    • The primary attack vector is distribution via e-mail. WannaCrypt uses social engineering or phishing techniques, relying on users to open and execute a malicious payload embedded within the e-mail. When opened by the user, the malware will install itself and start encrypting files immediately.

     

    • WannaCrypt will then try to spread within the network or over the internet, using exploit code for vulnerability CVE-2017-0145, which allows remote attackers to execute arbitrary code via crafted packets to an SMBv1 server, aka "Windows SMB Remote Code Execution Vulnerability". This vulnerability is only present in the SMB v1.0 protocol. Microsoft released a patch in March: Microsoft Security Bulletin MS17-010. For more information about this update, see Microsoft Knowledge Base Article 4013389.

     

    • All windows versions from Windows XP to Server 2016 are affected; all of these systems have SMBv1 enabled by default. Windows 10 is not affected. On May 13th, Microsoft released an emergency security patch for unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

     

    How to protect against WannaCrypt (and other) ransomware?

     

    • Keep your system Up-to-date: If you are using older, but supported versions of the Windows operating system, then keep your system up to date (If you are using LDMS / LDSS or Ivanti Endpoint Manager, see the Patch and Compliance landing page).
    • Unsupported versions of Windows (Windows XP, Vista, Windows 8, Server 2003 and 2008): Microsoft released an emergency patch which can be found here.
    UPDATE: Ivanti has released a Patch and Compliance definition update to detect and remediate this vulnerability for XP and Server 2003.  More information can be found here:
    https://community.ivanti.com/docs/DOC-47847

     

    • New in LDMS 2016: Endpoint Security protects against Master Boot Record modification and Crypto-ransomware. More information about these new features can be found here.
    • Beware of phishing: never open e-mail attachments from an untrusted sender or click on links within e-mails or documents without checking the source. Ivanti Anti-Viruscan also scan incoming e-mail.
    • Regularly backup user data: create copies of all user data at regular times to prevent data loss, should a ransomware attack occur.
    • Enable Windows firewall: limit the spreading of ransomware within the corporate network by correctly configuring firewalls. Block access to SMB ports over the network and/or the Internet. The protocol operates on TCP ports 137, 139 and 445 and over UDP ports 137 and 138.
    • Block legacy protocols such as SMB v1: See the following article on how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Note: Windows XP only supported SMB v1).
    • Audit installed software and keep it up to date: malware often uses flaws in outdated software. Keep all installed software up to date, not only on end nodes but also in the data centre. Patch Manager will also detect vulnerabilities in many third-party software, other than the operating system.

     

    Indicators of compromise

     

    WannaCrypt creates the following registry keys:

    • HKLM\SOFTWARE\WanaCrypt0r\wd = "<malware working directory>"
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random string> = "<malware working directory>\tasksche.exe"

     

    It will display a ransom message on the desktop wallpaper, by changing the following registry key:

     

    Files created in the malware's working directory:

     

    What if I'm compromised?

     

    Once ransomware has encrypted files, there is not much you can do. Sometimes, ransomware has been badly written and it has been possible - by reverse engineering their code - to find a way to decrypt the data.

    This does not seem to apply to WannaCrypt and we are unaware of a way to recover encrypted data at this time.

     

    One might ask if paying the ransom will really decrypt the files. Sometimes it will, but there is no guarantee.

    When Cryptolocker hit a few years ago, some users reported that they did get their data back after paying the ransom.