Security Alert: WannaCry Leaves Exploited Computers Vulnerable to Round Two

As an industry, we’ve been talking about ransomware and its impact for 2-3 years now, and, during this time, many of our own security alerts alerted users about ongoing campaigns spreading encrypting malware.

In spite of this, many Internet users still have a difficult time prioritizing their proactive cyber security as need-to-have rather than nice-to-have. As a consequence, computers go unpatched, unprotected and become easy targets.

What we’ve seen in the past 24 hours reveals how each click on “postpone update” created another target for WannaCry ransomware and its variants (WCry, WanaCrypt0r, WanaCrypt0r 2.0)  to infect and use for distribution. It’s the nightmare scenario we feared when we wrote this post.

The WannaCry ransomware attack – 5 things you need to know

1. A ransomware attack of “unprecedented level” (Europol) started spreading WannaCry ransomware around the world on Friday, May 12, 2017, around 11 AM ET/3PM GMT.
2. Until now, hundreds of thousands of Windows-running computers in 99 countries have been affected, with the highest numbers of infections in Russia, Ukraine, India and Taiwan.
3. Cyber criminals are using the EternalBlue exploit released by The Shadow Brokers on April 14, 2017. This exploit was patched a month before that, when Microsoft issued a critical security update (Microsoft Security Bulletin MS17-010).
4. The reason why this particular campaign became so extensive is because it exploits a vulnerability in Windows SMBv1 and SMBv2 to move laterally within networks and infect other computers.
5. If you haven’t installed the updates and are running a vulnerable operating system (see list below), even if your data hasn’t been encrypted, your computer might still have a backdoor that attackers can leverage in a potential round two of attacks.

Source: Securelist.

[Later edit: May 14, 2017, 18:00 EEST] Uiwix ransomware is picking up where the first WannaCry wave left off, without a kill switch domain and the same self-replicating abilities that enable it to spread fast.

Who is affected

Although this is an indiscriminate malicious campaign, many companies and public institutions have had their computers and data encrypted.

The National Health Service (NHS) in England and Scotland was one of the first high-profile victims of this attack. The BBC mentions that about 40 of NHS’s medical organisations and practices were hit.

Other victims include Telefonica and other big Spanish companies, Renault, the French car-maker (that stopped production on several sites to contain the infection), the US delivery giant Fed-Ex and other public and private organisations across Europe and the rest of the world.

Nissan plant in Sunderland says it has been affected by ransomware attack and it is “working to resolve issue” https://t.co/RUpMPDlIW8

— BBC Breaking News (@BBCBreaking) May 13, 2017

I’ve actually seen myself emails that my friends received from their employers, prompting them to shut down their computers and take them offline while the system got patched.

It may sound dramatic, but the circumstances call for quick reactions and fixes.

The New York Times published a map that shows how the infections spread during their peak hours.

Okay, here is an IDR based heatmap for WanaCrypt0r 2.0 ransomware (WCry/WannaCry) which covers exactly 24 hours from the explosion of it. pic.twitter.com/03ApsH5zGd

— MalwareHunterTeam (@malwrhunterteam) May 13, 2017

How to check if your system is patched

If you’re unsure whether your computer is updated to the latest version, you can run Microsoft Baseline Security Analyzer 2.3 and discover which updates are missing. The tool also lists the missing updates by severity and potential impact.

Please know that you can only use this tool on one computer or a group of computers. If you want to cover your entire infrastructure, you should use your internal IPs and coordinate your updates so they start from the first vulnerability the tool reports.

A good idea is to also redo a centralized scan after applying the updates, to ensure that the right updates were triggered and installed.

If unpatched, the following Microsoft software is exposed to WannaCry attacks, as well as other that employ the same tactics:

• Microsoft Windows Vista SP2
• Microsoft Windows Server 2008 SP2 and R2 SP1
• Microsoft Windows 7
• Microsoft Windows 8.1
• Microsoft Windows RT 8.1
• Microsoft Windows Server 2012 și R2
• Microsoft Windows 10
• Microsoft Windows Server 2016
• Microsoft Windows XP
• Microsoft Windows Server 2003

Vulnerability details:

CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148

What’s more, Microsoft released a series of security updates to help users close this vulnerability sooner. They even went so far as to make them compatible with Windows XP, Windows 8, and Windows Server 2003 as well, which are no longer covered by mainstream support (feature and security updates).

Of course, it’s up to Windows users now to take adequate action and click that “update” button promptly!

Actionable guide: How to Apply the Windows Update that Patches the EternalBlue SMB Exploit

Later edit [May 14, 10:30 EST]: CCN-CERT releases the NoMoreCry Tool

Available now: @CCNCERT has developed a tool to prevent the #WannaCry 2.0 #ransomware infection https://t.co/3msScNhe5f

— EC3 (@EC3Europol) May 13, 2017

This tool is available to all organisations that need to use it. It creates a mutex (mutual exclusion algorithm) on the computer that prevents the execution of the malicious code WannaCry 2.0. It is important to note that this tool is Not intended to clean compromised machines.

CCN-CERT indicates that the tool should be run after each restart. This process can be automated by modifying the Windows registry or through the implementation of the proper policies in the domain

This tool works on operating systems versions higher than Windows XP.

Later edit [May 23]: A decryptor for WannaCry has emerged

French researchers have come up with a decryptor for WannaCry, called WannaKey. However, it works only under certain conditions:

• The affected computer has not been rebooted after being infected.
• The associated memory has not been allocated and erased by some other process.

This article has a more in-depth view of how the decryptor works, as well as links to the software itself.

The killswitch

One of the key moments of the past 24 hours has been the discovery of a killswitch domain that, when blocked, would prevent the encryption from starting.

@MalwareTech unexpectedly discovered that he could block the malicious domain by registering it under his name and posting a clean page on it. He found this out while he was tracking the starting point for this WannaCry campaign.

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

— MalwareTech (@MalwareTechBlog) May 13, 2017

What’s next? Increasing prices and exposure to future attacks

As it often happens, we reckon that this attack will evolve over time. And there are two key aspects here to be considered:

1. The attackers may be increasing their prices, not only after the first payment deadline expires, but from the beginning.

While the average ransom in this attack was priced at $300, Securelist published an analysis of a sample that request double this sum:

It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

Naturally, this has also led to an increase in prices for Bitcoins:

2. Even if your data is not encrypted, the attackers may already be in.

If your computer was lacking the critical Microsoft update, it is possible that the exploit involved in this attack may have already planted a backdoor in your system.

Blocking the killswitch domain may have stifled the propagation of WannaCry ransomware, but that doesn’t mean it’s over.

The cyber criminals behind this malicious campaign will most likely learn from what worked and what didn’t and try to double down on infection vectors guaranteed to ensure success.

Given that 97% of phishing emails are ransomware and that 31% of the people who receive them open these emails (and often click on links/attachments), their chances for success are still quite high.

Also, their international intent was already clear when they translated the ransom note and payment instructions in 28 languages, including Spanish, Swedish, Turkish, Vietnamese, Portuguese and many others.

What you can (and should) do right now

1. Check if your system is patched. (See above.)
2. Download and install all system updates and restart your PC to apply them.
3. Make sure you have a  proactive security layer in place. (Maybe you’d even like to see what Heimdal™ Threat Prevention can do.)
4. Make sure you have a (paid) antivirus solution and that it’s up to date.
5. Back up your data in at least 2 places, if you haven’t done it already. Here’s a guide on how to do it.
6. Ensure that you apply all software updates, as soon as they’re available.
7. Teach yourself to detect and avoid phishing emails and links.

It might also be helpful to go through this anti-ransomware checklist (printable version) and see how you’re doing and what else you could do to keep your data safe from WannaCry and other strains.

And if you want to dive deeper into the subject, here are two technical analyses that you might find helpful: from Talos Intelligence and Malwarebytes.

Remember, cyber security is not just about the big events that happen and make the headlines. The most important aspects of it are how you handle yourself online every day, how you shape your cyber hygiene habits.

Be safe, not sorry!