This Past Weekend Made All of Us WannaCry

Written by Irena Damsky | May 14, 2017

On May 12^th, an outburst of a new Ransomware named WannaCry (aka WannaCrypt, WCry) took place. This ransomware, spread wildly in a short amount of time, infected over 100K victims in over 99 countries utilizing the MS17-010 Vulnerability. The following image from the live infection map, demonstrating how big the impact of this campaign had been over the past 24 hours.

The MS17-010 Vulnerability was first made public during the ShadowBrokers’ leak of CIA data back in April of this year and was dubbed ETERNALBLUE. It is a critical vulnerability in the SMBv1 server which can (and did in this case) be wormable. Microsoft patched this vulnerability on March 14^th 2017 and released a special security bulletin for it a whole month prior to the ShadowBroker’s leak. Furthermore, during the events of the past weekend, and the mass ransomware infections that took place, Microsoft released another, out of band patch for a no longer supported version of windows – Windows XP and even released a guide of how to protect yourself from the WannaCry attacks.

As of today, May 14^th, the WannaCry attacks have ceased after the researcher behind the MalwareTechBlog had registered a domain that is effectively used as a kill switch for the Ransomware distribution.

Some of the bigger entities that were infected include the NHS, Telefonica Spain, Nissan, FedEX, Government agencies all over the world, German Rail services, Chinese banks and many more.

We will never forget #wannacry 12.05.2017 Part 1 pic.twitter.com/zqcEndddgM
— Sergey @k1k_ Golovanov📡 (@k1k_) May 13, 2017

Although so many were infected, the criminals didn't make much of a win:

The three bitcoin wallets tied to #wcry ransomware have received 110 payments totaling $32,021.68 USD.
— actual ransom (@actual_ransom) May 14, 2017

So, what can you do to protect yourself?

If you haven’t yet – STOP WHATEVER YOU ARE DOING AND RESTART your windows machine to apply all patches.
Enable The Anonymous Networks target on your ThreatSTOP IP and DNS Firewalls. This way, you will block all communication with Tor from your organization and minimize the chances for an attack, while stopping your employees from bypassing your corporate defences.
Use Minerva’s Vaccinator – It is free and will cause the malware to bypass your machines.
Consider disabling legacy protocols on networks, if you don’t need it, why is it there? (and specifically SMBv1)

If you would like to read more, we recommend the following resources (this list keeps updating, so come back to check it out later):

An Advisory from the Luxemberg CERT
WannaCrypt fact sheet
Technical Analysis by ENDGAME
Do not pay the ransom - Check Point reseach team say that the files will not be decrypted.
SANS Institute - presentation for management
SANS Institute - Friday Webcast with technical details
Reposify have a mapping of all the vulnerable devices on the interet - you can check if you are there!

Stay Safe!

View full post