wCry2 Ransomware spreading via EternalBlue (MS17-010)
Update May 13
Data was coming in very quickly on Friday and while we worked to provide timely and reasonable information we know now more about what happened and how the Wana Decrypt0r 2.0 ransomware outbreak managed to escalate so quickly.
First some good news: The malware, once executed checked for the existence of a randomly generated domain. If the domain did not exist or could not be reached, the execution of malicious code continued. If the domain existed and was accessible, a kill switch was activated and the infection was halted. A malware blogger and reverse engineer from the U.K registered the domain which effectively slowed the malware spread in the U.S. Unfortunately, many anti-virus vendors began to block the domain, unintentionally allowing the installation to continue, realizing the error some of the anti-virus vendors have removed the block and now sinkhole the domain instead.
More information here:
The unfortunate news is that there are now samples emerging that no longer contain the domain based “kill switch”.
An example of this new variant is available here:
Additionally, after further review of the malicious binaries, we’ve identified that all RF1918 (private) netblocks as well as randomly generated internet netblocks are also scanned looking for further propagation avenues. This means that organizations could also potentially be affected by way of site-to-site VPN connection with business partners or vendors. The ransomware has also spread via guest wifi, thus users should be cautious as it is possible they could be affected while connected to an open wifi hotspot.
Researchers have noted that WannaCry 2.0 is not the actual worm. The worm is the MS17-010 “spreader”. WannaCry 2.0 is dropped by the “spreader” which can also be used to drop other binaries and files. Thus, it is extremely critical that organizations apply the MS17-010 patches as quickly as possible.
Mac OS and Linux users running Windows VMs or Wine are also affected if not patched.
Along with the ETERNALBLUE components, the dropper also calls out and downloads DOUBLEPULSAR. Organizations affected will want to check for the existence of DOUBLEPULSAR once the initial attack is remediated. There is a free script available to check for this located here:
The Wana Decrypt0r 2.0 ransomware campaign utilized 3 Bitcoin wallets and as of today they show modest returns. Note: there is no indication that paying the ransom actually provided the user with the keys to decrypt their data and some researchers reported that users had to interact with a human via phone or web chat to negotiate. In the ransom note, the attackers mention that if someone is “too poor” to pay that their files will automatically decrypt in 6 months.
The following Bitcoin wallets have been linked to this ransomware campaign:
The Global response to this campaign has been swift and effective, unfortunately, too late for a large number of European organizations. Microsoft released updates to its malware protection engine to block the malware. Additionally, Microsoft has unexpectedly released security patches for EternalBlue and MS17-010 vulnerabilities for the unsupported Windows XP, Vista, Windows 8, and Windows server 2013 operating systems.
When unfortunate events like this take place, it’s easy for information security practitioners to point fingers and assign blame but the global information security community would be better served by helping organizations understand and avoid these situations in the future.
Moving forward, Kudelski Security expects to see most if not all ransomware and malware families using similar techniques to spread quickly and infect large numbers of users and organizations.
This global ransomware outbreak is a stark reminder that organizations must have the basics covered. Organizations must review and evaluate their vulnerability and patch management programs to ensure confidence, comprehensiveness, and effectiveness. Security patches are a fundamental and critical foundation of any organizations security program and should be tested and applied quickly. Organizations should also perform a “health checkup” and review backup strategies, test backups regularly, and ensure backups are easily accessible while also being protected from encryption and deletion. Also, organizations should review and reevaluate what traffic is allowed to and from the internet.
Once the basics are covered, now is the time to start looking at some of the newer endpoint protection platforms that rely on behavioral indicators that executables could be malicious instead of solely relying on signatures.
Now is the time to take a look at security, review and apply the basics, and then pragmatically strengthen its effectiveness.
On May 12 2017, a widespread cyber-attack utilizing the WCry2 ransomware, also known as Wana Decrypt0r 2.0, began spreading across the globe. At the time of this writing, the Ransomware has currently impacted organizations in 99 countries and continues to spread. Wana Decrypt0r 2.0 uses the EternalBlue exploit (MS17-010), released by the Shadow Brokers in March 2017. This SMB exploit is used to attempt to infect other machines within the same network and to scan for, and infect, potentially vulnerable Windows machines on the internet.
Wana Decrypt0r 2.0 is a highly effective ransomware variant that encrypts several file types, making them inaccessible to the user, and demands a payment of $300 U.S dollars in Bitcoin to decrypt the files.
Additional details on Wana Decrypt0r 2.0 and EternalBlue (MS17-010)
Wana Decrypt0r 2.0 is a variant of the WannaCrypt ransomware family that is currently being spread by exploiting EternalBlue (MS17-010). Wana Decrypt0r 2.0 encrypts several file types on an infected computer demands a ransom of $300 USD in Bitcoin to decrypt the inaccessible files.
ExternalBlue is an exploit that takes advantage of previous vulnerabilities in SMB, a critical protocol for Windows Systems. The exploit allows for the remote execution of malicious code on vulnerable systems without requiring any use interaction. The ExternalBlue exploit requires that the systems be vulnerable and expose the SMB service (enabled by default on Windows systems) to successfully compromise a system and replicate across network infrastructure to other vulnerable Windows systems.
At the time of this writing, this cyber-attack has quickly spread to 99 countries across multiple regions of the world. This global threat arrives in the form of a phishing email with a malicious attachment, once the malicious attachment is opened a dropper begins to download and unpack the actual ransomware code. The ransomware encrypts the user’s files, scans the networks to which the machine is connected, and uses the EternalBlue exploit to spread across organizations with unpatched Windows systems.
Kudelski Security has observed several industries and regions being specifically targeted by this ransomware campaign. Kudelski Security has intelligence that indicates that other ramsomware campaigns are activity integrating more of the Fuzzbunch framework exploits into their code.
As of this writing, according to internet scanning tool Shodan, there are approximately 2.4 million internet exposed systems which may be vulnerable to this exploit.
Mitigation and Response
Microsoft released a patch for the EternalBlue and other critical remote code execution vulnerabilities in March 2017 as part of Microsoft Security Bulletin MS17-010.
Kudelski Security recommends that clients immediately apply the patch for MS17-010. For organizations unable to quickly apply the Microsoft patches, potential mitigations include using a GPO to apply Windows Firewall rules to block inbound SMB connections on all unpatched endpoint systems and limiting SMB connections between servers.
Kudelski Security also recommends limiting all inbound and outbound communication on UDP ports 137 & 138 and TCP ports 139 & 445 on internet firewalls in order to reduce exposure and the slow the propagation of this ransomware.
Kudelski Security recommends backing up all files, including systems already affected by the ransomware in case future decryption tools become available.
Additionally, Kudelski Security recommends that organizations evaluate their vulnerability management programs to ensure that updates and patches are tested and applied quickly once they are released.
The Kudelski Security Cyber Fusion Center has ensured all managed and monitored security devices are updated with detection signatures and methodology to detect the uses of the Wana DeCrypt0r 2.0 ransomware and exploitation with ExternalBlue and other recent Windows exploits.
VirusTotal analysis of malicious PDF