Individual machines could be infected - researchers and testers who put WannaCry on Windows XP systems likely ran it manually - but the worm-like attack code would not spread from an XP PC
According to Symantec : https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
OTX has another set of IOCs.
Decryption possible for Windows XP to 7, including Windows 2003
According to cyphort the vulnerability used by WannaCry (ETERNALBLUE) is now also used to spread a trojan.
Proofpoint published information on a cryptocurrency mining malware also making use of ETERNALBLUE/DOUBLEPULSAR. This malware predates (possible as early as 24-Apr) WannaCry.
Shadow Brokers issued a statement. ETERNALBLUE was part of the exploit leading to WannaCry.
Some researchers confuse the Jaff ransomware with WannaCry. Jaff is more a "traditional" style ransomware, explained in detail by Talos http://blog.talosintelligence.com/2017/05/jaff-ransomware.html. It's not the same as WannaCry.
Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used.
Detected by VirusTotal b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06
Two new variants were found. See https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
Do not rely on these kill switches as single line of defense. The behavior of the malware can easily be changed so that these kill switches are no longer relevant! Also, Wannacry is not proxy aware. If you are in a proxied environment they will not help unless you setup an RPZ.
The patch is out since March 2017. Your patch management process should apply patches rated as critical in a timely manner. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Microsoft also provided mitigation measures for unsupported systems.
Windows 10 and Windows Server 2016 are protected in their default configuration.
An article posted on the Trend Micro blog why Why "Just Patch It!" Isn't as Easy as You Think.
Disable SMBv1. This is described in a Microsoft document : https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
For example on Windows 8 you can do this in PowerShell
Blocking legacy protocols is always recommended!
UPDATE According to WannaCry FAQ: What you need to know today : The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection ... disabling SMBv2 can cause problems
All systems exposed to the Internet should filter NetBIOS, SMB and RDP.
Do not assume that a corporate firewall is enough. Systems connecting through a VPN might be exposed to the Internet prior to starting the VPN. Also do not forget systems that are dual-homed. If one system is infected, introducing it later on the network is enough.
Internal network filtering
Use local host firewalling on all you systems. Not every system needs to have SMB and RDP available on the network!
Apply network segmentation.
If you run CIFS (a variant of SMB) you are also targeted.
So far for RDP it looks like it's used as an initial attack vector via brute-force (guessing weak credentials). Once access gained via RDP, Wannacry is deployed and can spread automatically.
Do not forget that backup servers can be a target also. Make sure the backup retention period is enough.
Backups must be off-line (detached from network connectivity or system connectivity).
Use a dedicated backup solution that is not using SMB!
No you should not. When the malware is capable of reaching the kill-switch domain it will not further spread the malware. When you block this domain, it will continue spreading both internal and external and start encrypting your files.
Centrally log the events of your servers and workstations so that you know what is going on. Combine this information with network events.
Use threat intelligence data / alerts on these events.
The Wannacry ransomware is not proxy aware. This means that organizations that use a corporate proxy will not benefit from the kill switch. See https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/
The solution is to add the kill switch domains to an internal RPZ zone and redirect requests to an internal sinkhol. Note that the ransomware does expect an HTTP reply.
Note: no sample of the phishing e-mail that delivered the ransomware has been found (so far). Not sure about initial attack (maybe infected USB introduced on network?).
Good security practice.
Repeat awareness campaigns!
Update your anti virus definitions to prevent further infections. Anti virus definitions need time to include the new variants : do not rely on your anti virus / anti malware solution as the single line of defense.
UPDATE : It is important to note that anti-virus can potentially stop such attacks, even before researchers have seen a sample, ref. Modern Security Software not powerless against threats wannacry.
A script has been developed by CCN that prevents the ransomware from starting to encrypt your files. It does this by creating the mutexes for which the ransomware checks. Note that the script needs to be run at every reboot. : https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND. Also see : https://twitter.com/EC3Europol/status/863492271911645184
Afterwards, yo can check for the presence of the mutex with : handle -a | findstr MsWinZonesCacheCounterMutex. The Handle command can be downloaded from Sysinternals : https://download.sysinternals.com/files/Handle.zip
Further info on the mutexes is available at https://blog.didierstevens.com/2017/05/14/quickpost-wannacrys-mutex-is-mswinzonescachecountermutexa0-digit-zero-at-the-end/ and here https://twitter.com/craiu/status/863720216714518528.
There is an alternative tool (not tested) that accomplishes the same : https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip
UPDATE Another tool to create the mutexes, TearSt0pper.
Subscribe to a threat intelligence feed to get early indicators and detection. See MISP platform
An NSE script for NMAP to detect the MS17-010 was published http://seclists.org/nmap-dev/2017/q2/79
A massive wave of ransomware that has all the characteristics of a worm. It utilises an exploit called ETERNALBLUE as well as leveraging a persistent backdoor known as DOUBLEPULSAR (both were part of the Shadow Brokers leak of NSA tools). ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol. Exploiting this vulnerability allows an attacker to execute code on the vulnerable host.
Microsoft patched this vulnerablity in March, via MS17-010. Microsoft also released a patch for systems that were no longer under support.
The malware is persistent, meaning it will survive a system reboot!
Although there are claims that the infection happened via phishing e-mail, no sample of such a mail has been analyzed.
Segment and isolate networks that have infected machines.
Limiting SMB connections will hugely affect your users because they will not be able to access the file servers. There's no need for your workstations for not filtering incoming SMB connections. This will prevent further spreading.
For Belgium : [email protected]
There may be a possibility to recover the encryption (and hence recover the encrypted files) on Windows XP, if it was not rebooted after infection.
According to WannaCry- Decrypting files with WanaKiwi + Demos the decryption works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2.
In order to decrypt the files it is important that
Do not delete the encrypted files yet, it might be possible that a decryption key may become available at some point in the future. There are however no guarantees that this will be possible.
According to Kaspersky Lab there is strong evidence linking the WannaCry ransomware code to North Korea. There is a code overlap between Wannacry and a sample attributed to Lazarus in 2015. Note that the Lazarus group is believed to be responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation. ... "a theory a false flag although possible, is improbable."
Wannacry uses only four individual bitcoin addresses. There is no automatic identification between a payment and an encryption, meaning that the validation has to be a manual process. Most ransomware automates this process to provide a better "service" to their victims. Also see the article of Wired.
A live map can be found here : https://intel.malwaretech.com/WannaCrypt.html
Create a mutex (manually) ; PS :: $mtx = New-Object System.Threading.Mutex($false, "TestMutex")
Maintained by cudeso