There's a new strain of attacks which is affecting a lot of systems around the world (including the NHS in the UK and Telefonica in Spain) which is being called "WannaCry" amongst other names.
It seems to be a both a standard phishing/ransomware attack but it's also spreading like a worm once it gets into a target network.
How is this malware compromising people's systems and what's the best way for people to protect themselves from this attack?
WannaCry attacks are initiated using an SMBv1 remote code execution vulnerability in Microsoft Windows OS. The EternalBlue exploit has been patched by Microsoft on March 14 and made publicly available through the "Shadowbrokers dump" on April 14th, 2017. However, many companies and public organizations have not yet installed the patch to their systems. The Microsoft patches for legacy versions of Windows were released last week after the attack.
How to prevent WannaCry infection?
Make sure that all hosts have enabled endpoint anti-malware solutions.
Install the official Windows patch (MS17-010) https://technet.microsoft.com/en-us/library/security/ms17-010.aspx, which closes the SMB Server vulnerability used in this ransomware attack.
Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Make sure MS17-010 patches are installed.
Backup all important data to an external hard drive or cloud storage service.
More information here: https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world/
made publically available through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. So, was it patched a month before being made public, or did you shuffle the dates by accident?
The ransomware is using a known, publicly disclosed exploit in SMBv1 (Server Message Block Version 1). It is an application level protocol used for sharing files and printers in a networked environment.
The SMBv1 protocol is commonly found in networked Windows environments, and includes operating systems such as Windows XP, Windows 7, 8, 8.1, and 10. Windows Vista and onward allow for the use of SMBv1, even though they support the improved SMBv2 and v3 protocols.
Those environments who do not use Microsoft's implementation, are unlikely to be affected by the exploit and related vulnerabilities. In addition, those environments that do not support SMBv1 are also not affected.
You can disable SMBv1 support, as per Microsoft's directions: https://support.microsoft.com/kb/2696547
Those running Windows 8.1 or Windows Server 2012 R2 and later can disable the support by removing the Windows Feature for "SMB1.0/CIFS File Sharing Support".
There are six major vulnerabilities in Microsoft's implementation of SMBv1. The first five (and more critical) are ones that allow for remote arbitrary code execution. The last one allows for "data disclosure". The ransomware leverages the first five vulnerabilities and exploits them.
Measures users/enterprises can take to mitigate this ransomware and others includes:
Web Links:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
http://msdn.microsoft.com/en-us/library/aa365233(VS.85).aspx
http://www.eweek.com/security/wannacry-ransomware-attack-hits-victims-with-microsoft-smb-exploit
Cisco has posted an article on this that goes into more detail than any of the others I've seen. Their basic steps for prevention are as follows:
- Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
- In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
And at least based on that Microsoft bulletin, it would seem that this is a SMBv1 vulnerability, not SMBv2.
Who is at risk? Anyone running operating systems that are listed in the patch announcement here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
How? Malware can be delivered in many ways, once one endpoint is compromised the 'worm' aspect of this malware exploits ms17-010. So, it could be clicking on a link, opening up an archive that has been sent via email etc. etc. https://www.microsoft.com/en-us/security/portal/mmpc/help/infection.aspx
It seems to be? Are you kidding me ;-)
Watch it spread: https://intel.malwaretech.com/botnet/wcrypt/?t=1m&bid=all
Indicators of compromise: https://otx.alienvault.com/pulse/5915d8374da2585a08eaf2f6/
Scan for vulnerable endpoints (nmap): https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
It's also important to know that there are new variants of Wannacry (dubbed Wannacry v2) which is believed to not be from the same authors.
How this malware compromises systems:
First it creates and sets the following registry entries:
WannaCry then creates the following mutexes:
After this, it terminates the following processes using taskkill /f /im:
WannaCry starts searching, encrypting and appending .WCRY to the end of the file names of the following file-formats:
.123
.3dm
.3ds
.3g2
.3gp
.602
.7z
.ARC
.PAQ
.accdb
.aes
.ai
.asc
.asf
.asm
.asp
.avi
.backup
.bak
.bat
.bmp
.brd
.bz2
.cgm
.class
.cmd
.cpp
.crt
.cs
.csr
.csv
.db
.dbf
.dch
.der
.dif
.dip
.djvu
.doc
.docb
.docm
.docx
.dot
.dotm
.dotx
.dwg
.edb
.eml
.fla
.flv
.frm
.gif
.gpg
.gz
.hwp
.ibd
.iso
.jar
.java
.jpeg
.jpg
.js
.jsp
.key
.lay
.lay6
.ldf
.m3u
.m4u
.max
.mdb
.mdf
.mid
.mkv
.mml
.mov
.mp3
.mp4
.mpeg
.mpg
.msg
.myd
.myi
.nef
.odb
.odg
.odp
.ods
.odt
.onetoc2
.ost
.otg
.otp
.ots
.ott
.p12
.pas
.pem
.pfx
.php
.pl
.png
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx
.ppt
.pptm
.pptx
.ps1
.psd
.pst
.rar
.raw
.rb
.rtf
.sch
.sh
.sldm
.sldx
.slk
.sln
.snt
.sql
.sqlite3
.sqlitedb
.stc
.std
.sti
.stw
.suo
.svg
.swf
.sxc
.sxd
.sxi
.sxm
.sxw
.tar
.tbk
.tgz
.tif
.tiff
.txt
.uop
.uot
.vb
.vbs
.vcd
.vdi
.vmdk
.vmx
.vob
.vsd
.vsdx
.wav
.wb2
.wk1
.wks
.wma
.wmv
.xlc
.xlm
.xls
.xlsb
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.zip
For prevention Nik gave you all you need to know but I'll add that you should try to block inbound connections on port 445/TCP. Make sure not to block the following sinkhole domain, as this is the kill switch found in the Wannacry v1 binary:
hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
Hope it helps.
There are many great answers here but this answer is enlightening given recent events. On January 18th, 2017 US-Cert urged admins to firewall off SMBv1 but comments on this story says the only reason Windows XP support is still around is because the NHS (UK's National Health Services which got shutdown on Friday May 12th) pays M$ tons of cash to keep it alive.
If you have an older Windows Vista backup laptop like myself, you might be interested in KB4012598 for Windows 8, XP, Vista, Server 2008 and Server 2003 which are equivalents to much talked about MS17-010. These are manual patches for EOL (End of Life) Windows versions off of support and automatic updates. Microsoft took the extraordinary step of releasing these patches over the last 48 hours.
If there are Linux users reading this answer I'd like to point out vulnerabilities discussed in Ask Ubuntu on this Question I posted.
This article discusses blocking specific ports and disabling SMBv1 and SMBv2 in favour of SMBv3. Part of the article states the FBI says you shouldn't pay the criminals to get your data back but in all honesty I would pay 300 bucks to get my life back.
The Shadow Brokers have made 31 grand so far according to one article today. Interesting fact the name first appeared (AFAIK) as a fictional group wheeling and dealing in secrets in a Sci-Fi video game invented in Edmonton about 10 years ago. Second interesting fact they charge $300 to unlock your ransomed data and I used to charge $300 for data repairs of GL, AR, IC, PR, etc. That said I highly doubt the Shadow Brokers are based out of Edmonton where I live.
The creation of the website http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ which operates as a kill-switch to the ransomware is reported to have been side-stepped by a new version of "Wanna Cry". I haven't read many articles confirming this but in any respect the SMBv1 and SMBv2 holes should be plugged. People shouldn't rely on the kill-switch working with future "Wanna Cry" versions or any new malware / ransomware utilizing the loop-hole.
If you wonder what the kill-switch website benignly says, it is:
sinkhole.tech - where the bots party hard and the researchers harder...
Those that don't believe in conspiracies can press the back button. The NSA and Microsoft knew this was coming according to this article circulating a petition demanding to know what Microsoft knew, when, where and how. The allegations are based on the timing of Shadow Brokers, NSA getting hacked and MS security updates.
It seems to be a both a standard phishing/ransomware attack but it's also spreading like a worm once it gets into a target network.
Windows servers are typically behind firewalls that don't pass SMB. Once the first machine on a protected network is infected the worm propagates the attack usning the SMB exploit noted above.
I'd like to get confirmation on the phishing side of the attack. Microsoft (as of two days ago) still didn't have info on the initial compromise :
We haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:
Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit Infection through SMB exploit when an unpatched computer is addressable from other infected machines (https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/)
[Edit] Just saw that Forbes doesn't think Phishing is a major component of this attack. see https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#37038021e599 :
"...it's unlikely phishing emails were the primary infection method, given few have shared emails laced with the malware. Cisco's Talos division does not believe any phishing emails were used..."
So that would leave unprotected servers with SMB ports exposed to the open internet as the primary infection vector. That might explain some of the high profile targets reported who have widely spread networks (FedEx, NHS, etc). It would only take one unexposed computer that also connected to a wider network to bootstrap an infection.
In addition to the preceding answers, which mention only Windows, and since there's a dup-closed question "Does WannaCry infect Linux?" pointing to this one, I'd like to add that Linux machines can get infected too if they're running Wine: https://twitter.com/hackerfantastic/status/863359375787925505
While installing vendor patches is always a good idea, its also worth noting that the malware carries a DNS check on activation. I've seen one reported domain:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
But its likely that there maybe more. Hence it should be possible to monitor your network for new infections using something like this (on a Linux/Unix box) which tests for a very long string as a domain component in a DNS query:
tcpdump -K dst port 53 | awk '$8 ~ /[^\.]{20,}/ { print $0; }'
(not tested: YMMV)
.com names.
Commented
May 18, 2017 at 9:23
I will answer the "how to protect" part a little concisely
The malware is still spreading. If your system is unprotected, its remaining life is counted in hours
Microsoft has already released patches for all versions of Windows under maintenance. Perhaps Windows ME has not been patched, otherwise go to #4
You can defend your infrastructure by any ransomware, or at least limit its damage, by enforcing a valid backup policy. Backing up to a vulnerable machine is meaningless in this situation. Synchronizing to cloud can be dangerous
Both if you are a home user or an large enterprise, you shall always apply the firewall rule of thumb: disable everything except services you are actually running.
Running a web application? Open only ports 80/443. Running Torrent at home? Use upnp or choose your ports to open on your modem.
Do not use DMZ. If you really need SMB you have to think about it carefully. Discussing on ServerFault may be good.
If you own a legacy system that is really business critical and can't be upgraded in short time, consider air-gapping it. Virtualizing an old Windows version is useless because the malware can spread on your network of outdated machines. If you fail to firewall and/or to disable SMB completely, the last option is to remove the network cable until you find a better solution
