NEWS & TECH ALERTS | WANNACRY RANSOMWARE ATTACK DETAILS

News & Tech Alerts

The latest news and information from NCSI

Details of WannaCry provided by our Parner, Ivanti:

Malware name (all reported variants, some of which are earlier but related): WannaCrypt, Wana Decrypt0r 2.0,
WanaDecryptor, WannaCry, WanaCrypt0r, WCrypt, WCRY

Vector: This ransomware uses multiple attack vectors. All Windows versions before Windows 10 are vulnerable if not
patched for MS17-010. Windows XP and Server 2003 are particularly vulnerable, since until Friday, a patch was not
available to address this vulnerability on those operating systems.
• The primary attack vector is distribution via email. WannaCrypt uses social engineering or phishing techniques,
relying on users to open and execute a malicious payload embedded in the email. The malware then installs
itself and starts encrypting files immediately.
• Next, WannaCrypt will try to spread within the network or over the Internet, using exploit code for
vulnerability CVE-2017-0145, which allows remote attackers to execute arbitrary code via crafted packets to an
SMBv1 server, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is only present in
the SMB v1.0 protocol. Microsoft released a patch in March: Microsoft Security Bulletin MS17-010. For more
information about this update, see Microsoft Knowledge Base Article 4013389.
• All windows versions from Windows XP to Server 2016 are affected. These systems have SMBv1 enabled by
default. Windows 10 is not affected. On May 13th, Microsoft released an emergency security patch for
unsupported versions of Windows, including Windows XP, Vista, Windows 8, and Server 2003 and 2008 Editions.

Ransom: Between $300 and $600. There is code in the worm to ‘rm’ (delete) files. It also embeds a restart mechanism,
which seems to reset the worm if it crashes.

Who has been impacted?
Initially, the attack appeared isolated to the UK—and more specifically to the National Health Service (NHS, a public
government body)—but within a few hours it was reported as global, and it’s now impacted up to 200,000 organizations
in 150 countries, including Russia, Spain, Germany, and the U.S. Well-known companies like FedEx, Renault, Nissan,
Deutsche Bahn, and Telefonica have reported the attack.

Backdooring and other impact:
In addition to the ransom, the worm loops through every RDP session on a system to
run the ransomware as that user. It also appears to install the DOUBLEPULSAR backdoor, which could allow for remote
code execution in the future. And it corrupts shadow volumes, making recovery harder. (Note: This shadow volume copy
corruption also makes it so next-generation AV has a hard time reversing the impact if it isn’t caught before execution.)

Kill switch:
A malware researcher accidentally discovered a “kill switch” on WannaCrypt. It’s tied to detection of fixed
domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If the domain successfully returns an HTTP response, the kill
switch stops the worm from propagating. It should be noted that, if the machine infected cannot get to this domain (air
gapped, firewalled, or filtered), the worm’s kill switch is not triggered. It only tries to get there once.