On Friday, May 12th our digital lives were disrupted by the latest cyberattack WannaCrypt a.k.a WannaCry, and was a reminder to everyone that Security continues to be a paramount agenda with every business and technology leader as they look to Digitally Transform their organizations. This new ransomware spreads like a worm and first surfaced in UK and Spain, and the quickly spread globally, blocking hospitals, businesses, governments, and computers at homes from their data unless they paid a ransom using Bitcoin. This malicious software exploits used in the attack were drawn from the exploits stolen from the National Security Agency (NSA) in the United States – which were publicly reported earlier this year.
This attack brought forward the importance of running a well secured infrastructure to protect against these zero day exploit situations which leveraged vulnerabilities that was FIXED by Microsoft one month prior i.e. on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. We understand organizations needs time to test their systems and applications before deploying the latest patches and updates, however we now have tools like System Center Configuration Manager (SCCM) and Microsoft Intune which provides the right solutions to manage these deployment lifecycle. Aboutxtreme offers fixed cost consulting offerings for SCCM, EMS and Optimized Desktops to help you get started and optimized on the solutions quickly.
Generally ransomware do not spread rapidly and leverage social engineering techniques to target customers, however, in this unique case, the ransomware attack vecotor perpetrators used well-known public SMB exploits for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems and does not affect Windows 10 operating systems.
The threat arrives as a dropper Trojan that has the following two components:
- A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
- The ransomware known as WannaCrypt
The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”, and with the following message:
The dropper tries to connect the following domains using the API InternetOpenUrlA():