Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

What Happened

The 12th of May 2017 will go down as a long day for IT within the NHS and other big corporates in the UK and wider Europe. The 12th saw massive WCry infections and file encryption and ransom demands. But how did all of this happen?
As of right now, that is 4pm on the 12th of May, details are patchy but I will keep this post updated. Presently the outbreak is being propagated in the first instance by a file embedded in a Word document, taking advantage organisations that failed to apply the MS17-010 patches.

What we Know

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.
We have observed the following SHA256 fingerprints:
  • taskdl.exe : 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • wannacry.exe : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • taskse.exe : 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • u.wnry : b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

Analysis

The WannaCrypt ransomware worm, also known as WanaCrypt or Wcry, is affecting multiple countries infecting hospitals, businesses and infrastructure. WannaCrypt is malware for windows systems. It is spread by a worm that is actively exploiting a vulnerability in Microsoft's SMB file-sharing services. It specifically abuses a bug designated MS17-010 that was patched in March for modern versions of Windows. Older legacy versions such as Windows XP at the time of the initial incident had no available patches and  are therefore vulnerable. However, Microsoft rectified this by turning around one of the best out-of-band patch releases ever seen.
When WannaCrypt infects a system, it will encrypt as many files as it possibly can and demand ransom for the decryption of those files. The ransom has been seen to be between 300 and 600 US dollars in Bitcoin. The worm also installs Doublepulsar, a command and control backdoor allowing the attacker(s) to remotely control the machine via the TOR network.

What do we do?

  1. The very first thing is apply all the current critical patches to your machines. Especially MS17-010. ***UPDATE*** Patches are now available for all Microsoft OS's.
  2. The next thing to do is update you AV and run a full scan of ALL your systems. As of 17:15 28 of the major 61 global AV companies have a signature to detect and remove WCry2.0. Check progess here.
  3. Disable SMBv1 on your older servers, such as Windows 2003 Server. You can do this using this short script: Set-ItemProperty -Path "HKLM:
    SYSTEM
    CurrentControlSet
    Services
    LanmanServer
    Parameters" SMB1 -Type DWORD -Value 0 -Force.

Updates

More to follow shortly
16:37 - Update
It would appear, according to a good source (blockchain.info) that the bitcoin address for payment is 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.
16:53 - Update 2 - By Idan
Ransomware attacks are happening across Europe, in Spain the biggest telecommunication company 'Telefonica' has been under cyber-attack
17:00 - Update by Peter Bassill
Some rather good sources for further reading:
How to ID your ransonware:
https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/
https://www.nomoreransom.org/
17:17 - Update 3 By Idan
The ransomware WanaCrypt0r 2.0  as local network capabilities means that only having one computer exposed to this ransomware, it could potentially infect with the ransomware all the others computers in the same network, the warm uses the vulnerabilities that were released by the Shadow Brokers that leaked NSA tools.
17:37- Update 4 By Idan
Live feed of the spread of the WannaCryp0t
https://intel.malwaretech.com/WannaCrypt.html