This week a major global ransomware attack is reported,know as “WannaCry/Wcry/WannaCrypt”
What is WannaCry/Wcry/WannaCrypt ?
The ransomware is spread using the known and patched vulnerability MS17-010 ( an SMB Server Message Block protocol) and researchers tell that the encryption used in “WannaCry/Wcry/WannaCrypt” ransomware is RSA-2048 which mean the decryption is impossible, unless there is a flaw in code of ransomware. This variant of ransomware will make System unusable unless a ransom was paid.
Who will be infected?
Systems where SMB Protocol is enabled and where the latest patch MS17-010 which addresses the vulnerabilities in SMBv1 is not installed.
Indications of Compromise ?
Files created:
- %SystemRoot%\mssecsvc.exe
- %SystemRoot%\tasksche.exe
- %SystemRoot%\qeriuwjhrf
- b.wnry
- c.wnry
- f.wnry
- r.wnry
- s.wnry
- t.wnry
- u.wnry
- taskdl.exe
- taskse.exe
- 00000000.eky
- 00000000.res
- 00000000.pky
- @WanaDecryptor@.exe
- @Please_Read_Me@.txt
- m.vbs
- @WanaDecryptor@.exe.lnk
- @WanaDecryptor@.bmp
- 274901494632976.bat
- taskdl.exe
- Taskse.exe
- Files with “.wnry” extension
- Files with “.WNCRY” extension
Registry keys created:
- HKLM\SOFTWARE\WanaCrypt0r\wd
Preventive Measures?
The below measures can be taken, to prevent or reduce the likelihood of system getting infected by ransomware.
Technical Controls
- Ensure all your Anti Malware, Anti-Virus systems are updated with latest signatures and virus definitions and inspect all the traffic at host level.
- Ensure all your security patches for the systems are installed and applied.
- Ensure UAC (User Access Control) is enabled on windows and set to “Always Notify”.
- Enable Operating System to show file extensions, so that end user identifies the difference between the infected and non-infected files
- Sample files names:
- pdf – Non Infected file
- pdf.exe – Infected file
- Ensure Auto Play is disabled on the Systems.
- Ensure Active X and macro features are disabled working with Microsoft applications.
- Ensure SMB is disabled on Systems.
- Block all the suspicious domains and destination locations on your network security devices.
- Block all the executable files running from form the following folders %APPData%,%TEMP%,%LocalAppData%,%ProgramData%
- Block all the Peer to Peer connections, which will prevent from infected systems sending/communicating to CNC servers.
- Implement email security features like DMARC (Domain-based Message Authentication, Reporting & Conformance), SPF (Sender Policy framework) and DKIM (DomainKeys Identified Mail).
- Install Microsoft EMET (Microsoft Enhanced Mitigation Experience Toolkit) along with your preferred antivirus.
Process Controls
- Build an efficient Backup process, which should include 3-2-1 backup rule. Have at least three copies of the most valuable data, keep two of them on different external media, and store one copy offsite. Conduct regular testing of your backup data.
- Implement computer emergency response team and they should
- Identify the security incidents
- Prioritise the incidents
- Record all the incidents and manage them for a better understanding
- Remediate the incidents with appropriate controls
- Security Awareness Training Programmes
Detailed Analysis from Microsoft is Available at
wings2i.wordpress.com 