There was nothing new with these words. We have had heard a lot about ransomware like Cryptowall, Jigsaw, Cerber, Cryptolocker, Teslacrypt, Locky and more. Displaying a nasty message on a desktop, asking for ransom and encrypting almost all files on the system. But this very sentence (Oops! Your important files are encrypted.) and this variant of ransomware was a complete different than others. It was more of a ransomware worm. Cyber criminals had started a new sophisticated cyber-attacking campaign starting Friday (12th May 2017). I am sure, this Monday (15th May) was definitely, the most hectic day for most of the IT guys, fixing the infected systems and issuing the patch and maybe paying ransom ($300 or $600) was the last option too.
We have heard stories of Google docs phishing attack campaign spread like a worm about two weeks back. And now, the most deadly ransomware worm known as WannaCrypt, WannaCry, WannaCrypt0r, WCryptor or WCRY which started attack on the internet, infecting thousands of devices and affecting more than hundred countries. Russia, Ukraine, India were among the top victims of this recent attack as reported by Kaspersky.
We have heard stories of Google docs phishing attack campaign spread like a worm about two weeks back. And now, the most deadly ransomware worm known as WannaCrypt, WannaCry, WannaCrypt0r, WCryptor or WCRY which started attack on the internet, infecting thousands of devices and affecting more than hundred countries. Russia, Ukraine, India were among the top victims of this recent attack as reported by Kaspersky.
 |
| Figure shows countries affected with WannyCry ransomware |
The ransomware came out on Friday causing an extremely chaotic situation to the whole world where targets including extremely high profile organizations including government forces, railway stations, hospitals, universities and many public and private organizations including organizations like Russian Interior Ministry in Russia, German’s Deutsche Bahn in Germany, FedEx in US, National Health Service (NHS) in UK, Renault in France, Portugal Telecom in Portugal, Telefonica in Spain, Andhra Pradesh Police in India and others who were the serious victims of recent cyber-attack. This kind of large scale cyber-attacks could be the beginning of new trend for organized cyber criminals. As workdays started on Monday, the number of affected companies, communities and people could still rise. As seen today, reported by China’s news agency around thirty thousand companies have been hit on China and more than two thousand computers have been infected in Japan and the number is still on rise.
 |
| NHS was protected with Sophos (Seems like technologies cannot be trusted? Since, Security is not a product, it's a continuous process) |
While working around, I also came to know that, some high profile ISP’s and private
organizations of Nepal could be the victims of this ransomware attack
campaign. Organizations like Nepal Telecom, Subisu, Worldlink, OTEL,
Kantipur Media Group and other more organizations were found to be
highly vulnerable to WannaCry Ransomware attack or say, EternalBlue and
DoublePulsar exploit attack.
All Windows versions before Windows 10 are vulnerable to ‘WannaCry’ if not patched for MS-17-010. The ransomware worm makes use of EternalBlue MS17-010 to propagate.
EternalBlue, sometimes stylized as ETERNALBLUE, is an exploit developed by the U.S. National Security Agency (NSA). It was released by the Shadow Brokers hacker group on April 14, 2017.
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. The attackers were able to take advantage of this very vulnerability, exploit and propagate around the globe in a form of ransomware worm.
After the chaotic spread of this ransomware worm, Microsoft also came with an update for Windows XP although End of Life (EOL) for Windows XP was on 8th of April 2014.
But, as of now, the ransomware worm is down, meaning that a researcher and also a blogger by the name MalwareTech has slowed down the cyber-attack by simply registering a domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, under a name of ‘Botnet Sinkhole’ which acted as a kill switch for the ransomware since the working mechanism of the ransomware was to search for the mentioned domain and if the domain was up, the attack would stop or else continue propagating. However, another researcher (Matthieu Suiche) has also confirmed that he found a new WannaCry variant with a different kill switch and registered new domain ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com However multiple security researches have claimed that there are more samples of the ransomware with different kill-swith and even without any kill-switch function.
As of 14th May, the total of $33,319.59 has been paid. Three bitcoin address were hardcoded into the ransomware itself
EternalBlue, sometimes stylized as ETERNALBLUE, is an exploit developed by the U.S. National Security Agency (NSA). It was released by the Shadow Brokers hacker group on April 14, 2017.
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. The attackers were able to take advantage of this very vulnerability, exploit and propagate around the globe in a form of ransomware worm.
After the chaotic spread of this ransomware worm, Microsoft also came with an update for Windows XP although End of Life (EOL) for Windows XP was on 8th of April 2014.
But, as of now, the ransomware worm is down, meaning that a researcher and also a blogger by the name MalwareTech has slowed down the cyber-attack by simply registering a domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, under a name of ‘Botnet Sinkhole’ which acted as a kill switch for the ransomware since the working mechanism of the ransomware was to search for the mentioned domain and if the domain was up, the attack would stop or else continue propagating. However, another researcher (Matthieu Suiche) has also confirmed that he found a new WannaCry variant with a different kill switch and registered new domain ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com However multiple security researches have claimed that there are more samples of the ransomware with different kill-swith and even without any kill-switch function.
As of 14th May, the total of $33,319.59 has been paid. Three bitcoin address were hardcoded into the ransomware itself
(13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94,12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)
So far, these are the C&C centers found from various sources:
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
C&C IP address found from various sources:
188[.]166[.]23[.]127:443
193[.]23[.]244[.]244:443
2[.]3[.]69[.]209:9001
146[.]0[.]32[.]144:9001
50[.]7[.]161[.]218:9001
217[.]79[.]179[.]77
128[.]31[.]0[.]39
213[.]61[.]66[.]116
212[.]47[.]232[.]237
81[.]30[.]158[.]223
79[.]172[.]193[.]32
89[.]45[.]235[.]21
38[.]229[.]72[.]16
188[.]138[.]33[.]220
The filetypes that it looks to encrypt are:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
How to be safe?
So far, these are the C&C centers found from various sources:
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
C&C IP address found from various sources:
188[.]166[.]23[.]127:443
193[.]23[.]244[.]244:443
2[.]3[.]69[.]209:9001
146[.]0[.]32[.]144:9001
50[.]7[.]161[.]218:9001
217[.]79[.]179[.]77
128[.]31[.]0[.]39
213[.]61[.]66[.]116
212[.]47[.]232[.]237
81[.]30[.]158[.]223
79[.]172[.]193[.]32
89[.]45[.]235[.]21
38[.]229[.]72[.]16
188[.]138[.]33[.]220
The filetypes that it looks to encrypt are:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
How to be safe?
- For now, ensure that all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
- If your organization has SMB publicly accessible via the internet (ports 139, 445) should immediately be blocked for inbound traffics.
- If your organization is using snort then apply snort 42329-42332, 42340, 41978 rules immediately
These kinds of attacks are also more likely to happen in future, it all starts with just one click of yours so stay safe, stay secure.
At least follow the bellow mentioned points:
At least follow the bellow mentioned points:
- First and foremost, be sure to back up your most important files on a regular basis.
- Personalize your anti-spam settings the right way.
- Refrain from opening attachments that look suspicious.
- Think twice before clicking.
- Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date.
- In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.
- Keep the Windows Firewall turned on and properly configured at all times.
- Enhance your protection more by setting up additional Firewall protection.
- Adjust your security software to scan compressed or archived files, if this feature is available.
- Consider disabling Windows PowerShell, which is a task automation framework if you do not use it.
- Disable Macros and ActiveX in Microsoft Office components.
- Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.
- Deactivate AutoPlay.
- Make sure you disable file sharing.
- Disable Remote Service if not in use
- Block known-malicious Tor IP addresses