WannaCry Ransomware

13 May 2017 · Malware News

Background on Wanna Decrypt0r 2.0 (Wanna Cry)

The WannaCry ransomware came to global prominence on May 12, 2017 and is called by several names:
  • WannaCry
  • Wanna Cry
  • Wanna Decryptor
  • Wanna Decrypt0r 2.0
  • .WNCRY virus
  • Wanna Decryptor

This attack is based on NSA exploits of a Microsoft vulnerability, which was patched in March 2017. The malware was likely compiled in North Korea. Infected computers have files encrypted with a prompt to pay a ransom of at least US$300, which rises over time.
Industries with older systems and areas with pirated software are at highest risk. In this case, the UK National Health Service (NHS) and Russia were hit the hardest.

In Calgary, many health care and electrical distribution centres still use Windows XP, which is the same unsupported operating system that made the NHS vulnerable. Many small and medium businesses in Alberta use default configurations with inconsistent patching settings. This also leaves them vulnerable to such attacks.

The virus is spread through:
  • infected computer on the same network
  • email attachments (.js, .exe, macros)
  • fake updates on infected websites
  • infected torrent files

Avoid Paying Ransom

If you were infected and haven't rebooted your computer yet, you may be able to decrypt your files without paying a ransom.
The ransomware leaves the prime numbers that are used to create the encryption keys that encrypt your files in memory. This little bug may be used to recreate the encryption key to decrypt your files. Unfortunately, rebooting your computer clears your memory and removes this option for decryption.
To decrypt:

  1. DO NOT REBOOT YOUR COMPUTER
  2. DO NOT START ANY OTHER PROGRAMS ON YOUR COMPUTER (this may overwrite the memory that is storing your decryption keys)
  3. Unplug the network cable from your computer to prevent it from spreading to other computers on your netork (it's likely too late, but still a good practice)
  4. Download WanaKiwi ON A DIFFERENT COMPUTER THAN THE INFECTED COMPUTER
  5. Unzip the file and bring the file, wanakiwi.exe, to the infected computer on a USB drive
  6. Run the file from the command line (press +R on your keyboard and then type cmd and press Enter, type e:\wanakiwi.exe and press Enter (assuming that e: is your USB drive))
  7. Contact ThreeShield to review your backup, update, and antivirus controls to reduce the likelihood that you'll need such a tool in the future


Status of WannaCry Attack

The first wave is Over...for now
The good news is that the original incarnation of the WannaCry ransomware was stopped when MalwareTech registered a domain that WannaCry used as a kill switch. This won't help those who were already infected (although the tool mentioned above may) but it will stop future infections of this variant. CheckPoint used the same technique to stop a second wave from spreading.

The bad news is that it'll just take a small variation in the code to start spreading again. As a result, companies that aren't protected are still at risk. There have already been a few new versions released.

Who was vulnerable to this attack?

The WannaCry ransomware victims fell into three categories:
  1. Organizations without adequate patch management
    In this case, systems missing the two-month-old patch, MS17-010, were vulnerable.
  2. Organizations with unsupported Windows® systems
    Microsoft typically doesn't release patches for older versions of Windows. Given the severity of this vulnerability, however, Microsoft released special patches for Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, and Windows 8 x64.
  3. Organizations that had unused services enabled.
    Unless you still have workstations running a Windows version older than Windows Vista or servers older than Windows Server 2008, you don't need SMBv1 (the service that WannaCry exploited) enabled. Microsoft has an article on disabling the service.
    Our Windows Security Analyzer checks for such unused services and we check for such problems as part of our vulnerability assessment service.

The above patches and services could have prevented this one attack, but individual patches will not provide reliable, sustainable protection.

How can I protect myself in the future

The short answer: review your patch management system and system configurations.
If you don't have time or resources to do so internally, please contact us.

Nearly all of our clients tell us that they have a patch management processes or settings. However, after their vulnerability assessment, we typically find exposed systems missing patches.

Why? Most IT departments are stretched very thin and don't have time to monitor their patching and emerging threats. Companies with WSUS deployed typically have better patching than those that rely on employees to deploy patches. However, system configurations require periodic reviews to make sure that none are missed and that patches are being applied correctly. In addition, WSUS doesn't cover non-Microsoft patches. Systems like Ivanti Patch (formerly Shavlik) provide more comprehensive patching. Our Windows Security Analyzer checks the installation and configuration of both services. However, we recommend a comprehensive vulnerability assessment to ensure that nothing is preventing patches from being properly deployed. The most common patching problems that we find include:

  • Troubleshooting changes
  • Connection problems
  • Network configurations
  • "Shadow IT" systems
  • Development and new systems without agents properly installed.
  • Recovery and backup issues
  • VPN configurations
  • Workstation configuration changes
  • Licensing issues
  • Stopped services due to resource/software conflicts