The largest global ransomware attack happened on Friday 12th May. This worm known was WannaCry, Wcry, WannaCryptor 2.0 affecting businesses worldwide including our NHS and the Nissan Plant at Sunderland.

WannaCry would encrypt the system and scan for other systems to infect. It used the SMB vulnerability to gain access to unpatched systems from Windows XP to Windows 10 (Microsoft only supporting Windows 7 upwards). The vulnerability was discovered by the NSA, but their tool 'EternalBlue' which used this to gain access to systems was leaked, and subsequently patched by Microsoft in March.

The SMB service runs on port 445 and is a long standing Windows protocol so firewalls blocking that port will help, but may limit functionality as it is used for local area network file sharing. Kaspersky believes systems at risk are around 200,000, which of these, they estimate that 46,000 devices have been compromised.

The bitcoin accounts used in this attack show that there has been around £35,000 deposited, however there is not a single report that paying the attackers result in released files. Analysis of the worm’s code indicates that there may be no decryption functionality compared to other ransomware. So paying them may not work.

Infecting one computer will not only hold that specific machine to hostage but may encrypt every other machine on the local network creating a cascade effect. This means that an attacker can hold an entire organisation hostage by achieving just one successful infection, such seems to be the case here.

To protect against the virus, make sure you have port 445 along with 137 and 138 (TCP and UDP) blocked for any device accessing the internet or any local network if that network has a machine on it which has been compromised. If a local machine is affected, isolate it. You must patch the SMB vulnerability on every machine within your network and any machine accessing your network, you can do this here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

To help recover your systems, please contact us, we’re standing by to help.

Technical Analysis:

The BitCoin addresses used are noted below:

  • https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The control servers are located via TOR:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

It was discovered that the malware contained a kill switch. If a URL exists then not to encrypt files, this domain was: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Which has since been registered and has stopped the spread of the original worm. However new strains of the worm will make their way onto the internet.

North IT security analysts are standing by to help any organisation affected by this incident.

Staying Secure:

To make sure this doesn’t happen to you we can recommend the following:

  • Apply patches as soon as they are available.
  • Make sure any unsupported operating systems are removed from your organsiation or replaced with supported operating systems. (Get rid of XP!)
  • Keep anti-virus up to date daily.
  • Engage in regular penetration testing and vulnerability scanning using a qualified 3rd party supplier of these services.
  • Conduct a build review of your user workstations and laptops using a 3rd party supplier is particularly important, for correct setup of patch management and configuration settings are much harder to exploit from phishing techniques.
  • Add malware scanning to your email chain.
  • Review all firewalls and consider connected local protected networks, rather than one whole available LAN. Check routes and improve egress filtering.
  • Keep regular backups which off-site and not connected to your network. Make sure this process is verified, tested and fully working. Preferably using physical media which isn’t used for anything else.
  • Train your staff. Ransomware is often initiated by an email attachment and as this is on the increase, it is even more important to establish a business culture of security awareness. Engage in simulated phishing attacks which will keep your staff on their toes.

Please contact us if you need any assistance with the above.