After the kill switch, Now WannaCry 2.0 is out in the wild – It’s not over.

How to remove WannaCrypt / WCry Ransomware (Video)

If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” to stop WannaCry ransomware from spreading further, but it’s not over, criminals have just launched WannaCry 2.0 with no ‘kill-switch’ functionality.

WannaCry has already infected over 200,000 computers across 99 countries worldwide only in past two days, and now this latest version can take over other hundreds of thousands of unpatched computers without any disruption.

No, It’s not over yet, WannaCry 2.0 is on hunt!

In our previous two articles, we put together more information about this massive ransomware campaign, also explaining how the researcher, known as MalwareTech, accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware, but it does not repair computers that are already infected.

That domain was responsible for keeping WannaCry propagating and spreading like a worm, but MalwareTech registered the domain in question, and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system.

If you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken, because as soon as the attackers realize, they came back.

Costin Raiu, the director of global research and analysis team at Kaspersky Labs has confirmed the arrival of WannaCry 2.0 variants without kill-switch function.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” Raiu told Motherboard.

So, expect a new wave of ransomware attack, with an updated WannaCry variant, which would be difficult to stop, until and unless all vulnerable systems get patched.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread. We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts.” Matthew Hickey, a security expert and co-founder of Hacker House says The Hacker News.

Instead of depending upon mass email spamming, just like an ordinary malware campaign, WannaCry cyber attack leverages SMB exploit to remotely hijack vulnerable computers just by scanning every IP address on the Internet.

 Even after WannaCry made headlines all over the Internet and media, there are still hundreds of thousands of unpatched systems easily available open to the Internet.

“The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.” Hickey says.

So, the new strain of WannaCry 2.0 malware would not take enough time to take over these systems as well as others connected to the same local network.

Demo of WannaCry Ransomware Infection

Matthew has also provided The Hacker News two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).

And Second one…

Hickey also warned: Since, the WannaCry is a single executable file, so it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download.

Get Prepared: Install Security Patches & Disable SMBv1

MalwareTech also warned: “It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!”

As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.

Even after this, I believe, many individuals remain unaware of the new patches and many organizations running on older or unpatched versions of Windows, who are considering to upgrade their operating systems, would take time as well as it’s going to cost them money for getting new licenses.

So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.

For god sake: Apply Patches. Microsoft has been very generous to you.

Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.

Moreover, you can also follow some basic security practices I have listed to protect yourself from such threats.

Systems Affected

Microsoft Windows operating systems

Overview

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.

The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

Description

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. According to open sources, one possible infection vector is via phishing emails.

Technical Details

Indicators of Compromise (IOC)

IOCs are provided within the accompanying .xls file of this report.

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {

meta:

description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”

 

strings:

$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “[email protected]

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”

condition:

$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8

}

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {

meta:

description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “https://www.exploit-db.com/exploits/41987/

date = “2017/05/12″

strings:

$ms17010_str1=”PC NETWORK PROGRAM 1.0″

$ms17010_str2=”LANMAN1.0″

$ms17010_str3=”Windows for Workgroups 3.1a”

$ms17010_str4=”__TREEID__PLACEHOLDER__”

$ms17010_str5=”__USERID__PLACEHOLDER__”

$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”

condition:

all of them

}

Initial Analysis

The WannaCry ransomware received and analyzed is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.

The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.

This malware is designed  to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Recommended Steps for Prevention

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
  • Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
  • Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
  • Test your backups to ensure they work correctly upon use.

Recommended Steps for Remediation

  • Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.

Defending Against Ransomware Generally

Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.

References

  • Malwarebytes LABS: “WanaCrypt0r ransomware hits it big just before the weekend
  • Malwarebytes LABS: “The worm that spreads WanaCrypt0r”
  • Microsoft: “Microsoft Security Bulletin MS17-010”
  • Forbes: “An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak”
  • Reuters: “Factbox: Don’t click – What is the ‘ransomware’ WannaCry worm?”
  • GitHubGist: “WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm”


Comments

comments

Leave a Reply