250

There's a new strain of attacks which is affecting a lot of systems around the world (including the NHS in the UK and Telefonica in Spain) which is being called "WannaCry" amongst other names.

It seems to be a both a standard phishing/ransomware attack but it's also spreading like a worm once it gets into a target network.

How is this malware compromising people's systems and what's the best way for people to protect themselves from this attack?

Arminius
  • 43,922
  • 13
  • 140
  • 136
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 18
    Is there anything left unclear to you after you have read the article you linked? After all it _says_ that ETERNALBLUE is used and that MS17-010 fixes the issues (and backups of course)... – SEJPM May 12 '17 at 19:06
  • 28
    Well some more explanation of who's at risk, how to protect themselves and how exactly the malware is operating could be useful. – Rory McCune May 12 '17 at 19:07
  • 1
    You can block at the perimeter with an IDS/IPS rule as per the SANS guidance here: https://isc.sans.edu/diary/22412 – Ed Daniel May 12 '17 at 19:20
  • 3
    @Melkor Not really; the NHS treat humans, not computer systems. A doctorate in security doesn't mean you can operate on a human, and vice versa. – wizzwizz4 May 13 '17 at 14:26
  • 1
    Note that the worm is **completely generic** - you can take it and substitute out your own program and it'll work completely fine – Riking May 13 '17 at 16:38
  • 13
    Can I ask a follow up? Is this bug specific to Microsoft, or is it part of the spec itself? If I'm running something else (say Samba on a *nix server) does this affect me? – markspace May 13 '17 at 20:57
  • 2
    Don't run Windows XP. – Ian Kemp May 15 '17 at 12:05
  • 16
    @wizzwizz4: Correction: doctors (and, to some extent, nurses) in the NHS treat humans. Accountants treat the books. Janitorial staff treat the floors and surfaces. The IT staff, supposedly, treats the computer system. The NHS isn't an organisation of just doctors and nurses. – Lightness Races in Orbit May 15 '17 at 12:06
  • V2 hashes here: https://gist.github.com/Blevene/2ef2b808a114722e5061297a5897a710 – Ed Daniel May 15 '17 at 12:09
  • Chinese report with hashes of associated files (#53) - https://nti.nsfocusglobal.com/pdf/Wannacry_Ransomware_en.pdf – Ed Daniel May 15 '17 at 12:15
  • 1
    Is there any evidence of the Phishing vector? – mgjk May 15 '17 at 17:09
  • This is a good discussion after an abbreviated version of this question: https://security.stackexchange.com/questions/159740/wannacrypt-smb-exploit-known-since-stuxnet-circa-2008-but-microsoft-hid-the-fi – SDsolar May 17 '17 at 15:34
  • Related: https://security.stackexchange.com/questions/159742/has-anybody-successfully-been-decrypted-after-paying-the-wannacrypt-ransom – SDsolar May 17 '17 at 16:11
  • https://security.stackexchange.com/questions/155169/is-it-risky-to-allow-smb-traffic-to-the-internet/155177?noredirect=1#comment303267_155177 – SDsolar May 18 '17 at 07:43
  • @MarkKCowan: While that may be true, it's probably best not to openly accuse others of illegal activity without proof in a public forum. That may constitute libel. – Lightness Races in Orbit May 19 '17 at 13:31
  • Here is an easy way to use the hashes once you have them: https://security.stackexchange.com/questions/168940/what-harm-is-there-in-obtaining-password-hashes-in-a-windows-environment – SDsolar Sep 07 '17 at 03:00

10 Answers10

137

WannaCry attacks are initiated using an SMBv1 remote code execution vulnerability in Microsoft Windows OS. The EternalBlue exploit has been patched by Microsoft on March 14 and made publicly available through the "Shadowbrokers dump" on April 14th, 2017. However, many companies and public organizations have not yet installed the patch to their systems. The Microsoft patches for legacy versions of Windows were released last week after the attack.

How to prevent WannaCry infection?

  1. Make sure that all hosts have enabled endpoint anti-malware solutions.

  2. Install the official Windows patch (MS17-010) https://technet.microsoft.com/en-us/library/security/ms17-010.aspx, which closes the SMB Server vulnerability used in this ransomware attack.

  3. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Make sure MS17-010 patches are installed.

  4. Backup all important data to an external hard drive or cloud storage service.

More information here: https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world/

Marc.2377
  • 594
  • 3
  • 10
Nik Nik
  • 1,302
  • 1
  • 7
  • 3
  • 5
    Hold on - you said `made publically available through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14`. So, was it patched a month *before* being made public, or did you shuffle the dates by accident? – Dragomok May 13 '17 at 17:35
  • 87
    @Dragomok Note it's the *exploit* that came out a month after the patch. That's not so unusual. Given how many computers are not kept up to date, one easy way to find exploitable flaws is wait for the patches to come out. – Todd Wilcox May 14 '17 at 06:39
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/58852/discussion-on-answer-by-nik-nik-how-is-the-wannacry-malware-spreading-and-how). – Rory Alsop May 16 '17 at 15:50
  • 13
    As this is currently the highest voted answer, and people might land on this site who are not network administrators, it would be helpful to include "don't open strange attachments" (maybe with a short description of how to check whether an attachment is an executable disguised as something else), as such things can be the some attack vectors for people not having their own LAN, and can also be the "patient zero" for a larger network. – vsz May 16 '17 at 17:29
  • 5
    @Dragomok: Presumably, TSB informed Microsoft of the issue ahead of time. The timing seems to support it. AFAIK this is typical of white/grey hat hackers. – tomasz May 16 '17 at 21:14
  • Isn't the SMB bug just one vector? I was under the impression that it was being sent via email en masse a la old fashion phishing so everyone keep their grandmothers away from the email. – Dean MacGregor May 17 '17 at 01:23
  • 4
    @tomasz [The NSA informed Microsoft of the issue ahead of time](https://arstechnica.com/security/2017/05/fearing-shadow-brokers-leak-nsa-reported-critical-flaw-to-microsoft/) (after EternalBlue was leaked). – jamesdlin May 18 '17 at 01:58
  • @DeanMacGregor: Why would they start keeping their grandmothers away now? It's not the first, and certainly it's not the last ransomware floating around. I don't think grandmothers are particularly good targets for ransomware, anyway. – tomasz May 18 '17 at 13:34
  • https://security.stackexchange.com/questions/155769/find-smbv1-status-with-nmap/158896#158896 – SDsolar May 27 '17 at 16:56
64

The ransomware is using a known, publicly disclosed exploit in SMBv1 (Server Message Block Version 1). It is an application level protocol used for sharing files and printers in a networked environment.

The SMBv1 protocol is commonly found in networked Windows environments, and includes operating systems such as Windows XP, Windows 7, 8, 8.1, and 10. Windows Vista and onward allow for the use of SMBv1, even though they support the improved SMBv2 and v3 protocols.

Those environments who do not use Microsoft's implementation, are unlikely to be affected by the exploit and related vulnerabilities. In addition, those environments that do not support SMBv1 are also not affected.

You can disable SMBv1 support, as per Microsoft's directions: https://support.microsoft.com/kb/2696547

Those running Windows 8.1 or Windows Server 2012 R2 and later can disable the support by removing the Windows Feature for "SMB1.0/CIFS File Sharing Support".

There are six major vulnerabilities in Microsoft's implementation of SMBv1. The first five (and more critical) are ones that allow for remote arbitrary code execution. The last one allows for "data disclosure". The ransomware leverages the first five vulnerabilities and exploits them.

Measures users/enterprises can take to mitigate this ransomware and others includes:

  • Make sure systems are patched, the vulnerabilities were patched in March of 2017.
  • Keep a recent backup of your system or critical user/business data.
  • Use and maintain an anti-virus solution
  • Use a backup scheme such as GFS (Grandfather, father, son).
  • Remove the use or support of SMBv1 (see above).
  • Segregate the network such that damage impact is lessened.
  • Use a diverse set of systems and operating systems if possible.

Web Links:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

http://msdn.microsoft.com/en-us/library/aa365233(VS.85).aspx

http://www.eweek.com/security/wannacry-ransomware-attack-hits-victims-with-microsoft-smb-exploit

dark_st3alth
  • 3,052
  • 8
  • 23
31

Cisco has posted an article on this that goes into more detail than any of the others I've seen. Their basic steps for prevention are as follows:

  • Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
  • In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.

And at least based on that Microsoft bulletin, it would seem that this is a SMBv1 vulnerability, not SMBv2.

AndyO
  • 411
  • 3
  • 3
  • What's an easy way for a user to verify whether "MS17-010 has been applied." on my system? – curious_cat May 22 '17 at 07:47
  • May not be the most elegant solution since it's code golf but it's certainly easy and works (stumbled across it by accident myself): https://codegolf.stackexchange.com/a/120787 – AndyO May 22 '17 at 14:07
  • Thanks Andy! That's awesome. Sadly, the update does not seem installed on my system. Eeks!! I thought Win Updates would have automatically installed it. – curious_cat May 22 '17 at 17:36
  • Is there any code golf to easily install the corresponding update too?!! – curious_cat May 22 '17 at 17:37
20

Who is at risk? Anyone running operating systems that are listed in the patch announcement here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

How? Malware can be delivered in many ways, once one endpoint is compromised the 'worm' aspect of this malware exploits ms17-010. So, it could be clicking on a link, opening up an archive that has been sent via email etc. etc. https://www.microsoft.com/en-us/security/portal/mmpc/help/infection.aspx

It seems to be? Are you kidding me ;-)

Watch it spread: https://intel.malwaretech.com/botnet/wcrypt/?t=1m&bid=all

Indicators of compromise: https://otx.alienvault.com/pulse/5915d8374da2585a08eaf2f6/

Scan for vulnerable endpoints (nmap): https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

Ed Daniel
  • 464
  • 2
  • 6
  • 2
    Good answer, anything you could add for ordinary users reading this who might be wondering what they should do to protect themselves? – Rory McCune May 12 '17 at 19:38
  • 4
    Just run windows update. – tbodt May 12 '17 at 20:08
  • 9
    @tbodt unfortunately that won't work for people running things like Windows XP. In the usual case they would get no patch but MS have released one for this https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ however it's a specific update that needs downloaded. – Rory McCune May 13 '17 at 09:56
  • 31
    I believe that this is a non-answer as per [Your answer is in another castle: when is an answer not an answer?](https://meta.stackexchange.com/q/225370/157730) Basically, try reading this but ignore the links; how much do you learn from it? (Very little, IMO.) Do consider incorporating the important details from the linked pages into the answer itself, so that this answer remains valid even if those pages are changed or become unavailable in the future. – user May 13 '17 at 18:03
  • 1
    in that case, get a modern version of windows and then run windows update. – tbodt May 14 '17 at 02:29
  • 9
    @tbodt that is not always possible (especially in corporate environments) – schroeder May 14 '17 at 08:13
  • 1
    “Who is at risk? Anyone running operating systems that are listed in the patch announcement here” what if you are the only one in your local network? The worm has to come from somewhere. – Michael May 20 '17 at 17:28
16

It's also important to know that there are new variants of Wannacry (dubbed Wannacry v2) which is believed to not be from the same authors.

How this malware compromises systems:

First it creates and sets the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Updates Task Scheduler" = ""[PATH_TO_RANSOMEWARE][TRANSOMEWARE_EXE_NAME]" /r"
  • HKEY_LOCAL_MACHINE\SOFTWARE\WannaCryptor\"wd" = "[PATH_TO_RANSOMEWARE]"
  • HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%UserProfile%\Desktop!WannaCryptor!.bmp"

WannaCry then creates the following mutexes:

  • Global\WINDOWS_TASKOSHT_MUTEX0
  • LGlobal\WINDOWS_TASKCST_MUTEX

After this, it terminates the following processes using taskkill /f /im:

  • sqlwriter.exe
  • sqlserver.exe
  • Microsoft.Exchange.*
  • MSExchange*

WannaCry starts searching, encrypting and appending .WCRY to the end of the file names of the following file-formats:

.123
.3dm
.3ds
.3g2
.3gp
.602
.7z
.ARC
.PAQ
.accdb
.aes
.ai
.asc
.asf
.asm
.asp
.avi
.backup
.bak
.bat
.bmp
.brd
.bz2
.cgm
.class
.cmd
.cpp
.crt
.cs
.csr
.csv
.db
.dbf
.dch
.der
.dif
.dip
.djvu
.doc
.docb
.docm
.docx
.dot
.dotm
.dotx
.dwg
.edb
.eml
.fla
.flv
.frm
.gif
.gpg
.gz
.hwp
.ibd
.iso
.jar
.java
.jpeg
.jpg
.js
.jsp
.key
.lay
.lay6
.ldf
.m3u
.m4u
.max
.mdb
.mdf
.mid
.mkv
.mml
.mov
.mp3
.mp4
.mpeg
.mpg
.msg
.myd
.myi
.nef
.odb
.odg
.odp
.ods
.odt
.onetoc2
.ost
.otg
.otp
.ots
.ott
.p12
.pas
.pdf
.pem
.pfx
.php
.pl
.png
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx
.ppt
.pptm
.pptx
.ps1
.psd
.pst
.rar
.raw
.rb
.rtf
.sch
.sh
.sldm
.sldx
.slk
.sln
.snt
.sql
.sqlite3
.sqlitedb
.stc
.std
.sti
.stw
.suo
.svg
.swf
.sxc
.sxd
.sxi
.sxm
.sxw
.tar
.tbk
.tgz
.tif
.tiff
.txt
.uop
.uot
.vb
.vbs
.vcd
.vdi
.vmdk
.vmx
.vob
.vsd
.vsdx
.wav
.wb2
.wk1
.wks
.wma
.wmv
.xlc
.xlm
.xls
.xlsb
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.zip

For prevention Nik gave you all you need to know but I'll add that you should try to block inbound connections on port 445/TCP. Make sure not to block the following sinkhole domain, as this is the kill switch found in the Wannacry v1 binary:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Hope it helps.

Hashim Aziz
  • 969
  • 8
  • 21
Soufiane Tahiri
  • 2,667
  • 12
  • 27
6

It seems to be a both a standard phishing/ransomware attack but it's also spreading like a worm once it gets into a target network.

Windows servers are typically behind firewalls that don't pass SMB. Once the first machine on a protected network is infected the worm propagates the attack usning the SMB exploit noted above.

I'd like to get confirmation on the phishing side of the attack. Microsoft (as of two days ago) still didn't have info on the initial compromise :

We haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:

Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit Infection through SMB exploit when an unpatched computer is addressable from other infected machines (https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/)

[Edit] Just saw that Forbes doesn't think Phishing is a major component of this attack. see https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#37038021e599 :

"...it's unlikely phishing emails were the primary infection method, given few have shared emails laced with the malware. Cisco's Talos division does not believe any phishing emails were used..."

So that would leave unprotected servers with SMB ports exposed to the open internet as the primary infection vector. That might explain some of the high profile targets reported who have widely spread networks (FedEx, NHS, etc). It would only take one unexposed computer that also connected to a wider network to bootstrap an infection.

IAmBarry
  • 121
  • 3
  • seems more like a comment than an answer – schroeder May 15 '17 at 15:17
  • 1
    The question is an assertion too, so I think it's fair to answer it by refuting the certainty of the phishing claims and effectiveness of the sole SMBv1 vector. – mgjk May 15 '17 at 17:17
  • Our private InfoSec feeds are reporting details of some Phishing attacks. I can't find any public information, but it does indeed appear to have a phishing vector. Check you vendors. – mgjk May 15 '17 at 17:52
  • 1
    I did much research, but there is no glimpse of any emails linked with wannacry. Beat me if I'm wrong, but for me the search for this infection vector is over. There is nothing then "I have heard that someone have told, he've got such a mail". In fact I'm registered to stackexchange because there are users at askubuntu who claimed to have wannacry phishing mails. After two days of communication I could for sure say: they don't have. And nobody else. Look also here: https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/ – user689443 May 20 '17 at 10:14
6

NHS was doomed to be first one hit

There are many great answers here but this answer is enlightening given recent events. On January 18th, 2017 US-Cert urged admins to firewall off SMBv1 but comments on this story says the only reason Windows XP support is still around is because the NHS (UK's National Health Services which got shutdown on Friday May 12th) pays M$ tons of cash to keep it alive.

One link for all off support Windows vulnerable versions

If you have an older Windows Vista backup laptop like myself, you might be interested in KB4012598 for Windows 8, XP, Vista, Server 2008 and Server 2003 which are equivalents to much talked about MS17-010. These are manual patches for EOL (End of Life) Windows versions off of support and automatic updates. Microsoft took the extraordinary step of releasing these patches over the last 48 hours.

Linux users can be effected too

If there are Linux users reading this answer I'd like to point out vulnerabilities discussed in Ask Ubuntu on this Question I posted.

Technical details not listed in other answers

This article discusses blocking specific ports and disabling SMBv1 and SMBv2 in favour of SMBv3. Part of the article states the FBI says you shouldn't pay the criminals to get your data back but in all honesty I would pay 300 bucks to get my life back.

Spooky coincidences

The Shadow Brokers have made 31 grand so far according to one article today. Interesting fact the name first appeared (AFAIK) as a fictional group wheeling and dealing in secrets in a Sci-Fi video game invented in Edmonton about 10 years ago. Second interesting fact they charge $300 to unlock your ransomed data and I used to charge $300 for data repairs of GL, AR, IC, PR, etc. That said I highly doubt the Shadow Brokers are based out of Edmonton where I live.

Version two is out and kill switch won't work

The creation of the website http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ which operates as a kill-switch to the ransomware is reported to have been side-stepped by a new version of "Wanna Cry". I haven't read many articles confirming this but in any respect the SMBv1 and SMBv2 holes should be plugged. People shouldn't rely on the kill-switch working with future "Wanna Cry" versions or any new malware / ransomware utilizing the loop-hole.

If you wonder what the kill-switch website benignly says, it is:

sinkhole.tech - where the bots party hard and the researchers harder...

Microsoft Conspiracy Theories

Those that don't believe in conspiracies can press the back button. The NSA and Microsoft knew this was coming according to this article circulating a petition demanding to know what Microsoft knew, when, where and how. The allegations are based on the timing of Shadow Brokers, NSA getting hacked and MS security updates.

  • 4
    NHS is not he only company to keep XP support alive other big company pays millions... IMO it's a terrible idea, they should invest toward updating their system instead ! – 0x1gene May 18 '17 at 10:19
4

In addition to the preceding answers, which mention only Windows, and since there's a dup-closed question "Does WannaCry infect Linux?" pointing to this one, I'd like to add that Linux machines can get infected too if they're running Wine: https://twitter.com/hackerfantastic/status/863359375787925505

dr_
  • 5,060
  • 4
  • 19
  • 30
3

While installing vendor patches is always a good idea, its also worth noting that the malware carries a DNS check on activation. I've seen one reported domain:

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

But its likely that there maybe more. Hence it should be possible to monitor your network for new infections using something like this (on a Linux/Unix box) which tests for a very long string as a domain component in a DNS query:

tcpdump -K dst port 53 | awk '$8 ~ /[^\.]{20,}/ { print $0; }'

(not tested: YMMV)

symcbean
  • 18,278
  • 39
  • 73
  • 5
    Since the DNS check was the cause of the first strain being defeated, it seems likely that subsequent strains won't have this. – Lightness Races in Orbit May 15 '17 at 12:09
  • 1
    That looks quite similar to [something Chrome does when it starts](//unix.stackexchange.com/q/363512). The difference here being that the Chrome requests are for unqualified host names, not `.com` names. – Toby Speight May 18 '17 at 09:23
  • These guys have a better version of this methodology: https://www.youtube.com/watch?v=ZNas6BmbRvo – symcbean Jun 13 '17 at 19:19
0

I will answer the "how to protect" part a little concisely

0. Act quickly

The malware is still spreading. If your system is unprotected, its remaining life is counted in hours

1. Make sure to perform required system updates

Microsoft has already released patches for all versions of Windows under maintenance. Perhaps Windows ME has not been patched, otherwise go to #4

2. Backup

You can defend your infrastructure by any ransomware, or at least limit its damage, by enforcing a valid backup policy. Backing up to a vulnerable machine is meaningless in this situation. Synchronizing to cloud can be dangerous

3. Firewall yourself from the outside

Both if you are a home user or an large enterprise, you shall always apply the firewall rule of thumb: disable everything except services you are actually running.

Running a web application? Open only ports 80/443. Running Torrent at home? Use upnp or choose your ports to open on your modem.

Do not use DMZ. If you really need SMB you have to think about it carefully. Discussing on ServerFault may be good.

4. Air gap or strong-firewall old machines

If you own a legacy system that is really business critical and can't be upgraded in short time, consider air-gapping it. Virtualizing an old Windows version is useless because the malware can spread on your network of outdated machines. If you fail to firewall and/or to disable SMB completely, the last option is to remove the network cable until you find a better solution

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35