The WannaCry Ransomware cyber attack had stricken more than 300,000 computers, according to White House homeland security adviser Tom Bossert. While the rate of the attacks is decelerating, the risk is in no way over. The current threat has largely been halted thanks to a MalwareTechBlog, a UK cyber security researcher, and Darien Huss locating and activating a kill switch in the software.
Also known as WCrypt, WannaCrypt, WanaCrypt0r, Wana Decryptor or WCry, the malware applies a malicious piece of software that locks files on a computer and demands payments to unlock them. Before the ransomware is applied, the malware checked a URL online… on a domain that hadn’t yet been registered. MalwareTechBlog registered the www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain and was able to activate the killswitch, a possible misstep by the malware’s author.
However, the researchers warned that it’s not the end!
This is not over. The attackers will realize how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot. MalwareTech
If the computer has to access the Internet via a proxy, WannaCry is still executed! Ransomware attacks are becoming more commonplace of recent, and this particular malware was called unprecedented by Europol. As of yesterday, if you turned on a system without the MS17-010 patch and TCP port 445 open, your systems were still at risk of the ransomware.
The attack exploits a vulnerability in Windows 8, Windows XP and Windows Server 2003. If you’re utilizing an up-to-date version of Windows 10, Windows 8.1, Windows 7. Windows Vista. Windows Server 2008. Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016 – you should be safe. Mac and Android operating systems were not affected.
- All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. They recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
- If you install a language pack after you install this update, you must reinstall this update. Microsoft recommends that you install any language packs that you need before you install this update.
How is WannaCry Spread?
WannaCry spread more quickly than any ransomware ever had before thanks to a recently leaked NSA Windows vulnerability, called Eternal Blue. In London, the malware infected its first Windows computer when a user opened an email, along with executing a compressed zip file, that infected their network. By Friday, Spanish mobile operator Telefónica was among the first large businesses infected. Before noon, hospitals across the United Kingdom began reporting issues. Renault, Deutsche Bahn, MegaFon, Sberbank and even FedEx fell victim to spreading and executing the ransomware.
Once executed, WannaCry installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service. It then launches the executable and a worm to replicated through two methods. The first thread uses the GetAdaptersInfo function to obtain a list of IP ranges on the local network, then creates an array of every IP in those ranges to scan, connects to each IP via port 445, and creates a new thread to exploit the new system using MS17-010/EternalBlue/. For additional detail regarding WannaCry, Malwarewarebytes Labs has written an in-depth article.
If you have questions or concerns regarding the risk, this malware or other ransomware poses to your organization and you would like some advice, please feel free to contact us.