Ransomware: WannaCrypt


ransomware-600x441

Saat ini dan beberapa minggu ke depan akan marak diperbincangkan berkaitan dengan ransomware WannaCrypt. Berikut ini beberapa artikel terkait ransomware WannaCrypt yang dikutip dari beberapa sumber, mudah-mudahan dapat membantu bagi yang terkena ransomware tersebut:

  • Monitoring Dashboard WannaCrypt
  • blogs.technet.microsoft.com | WannaCrypt ransomware worm targets out-of-date systems
  • kominfo.go.id | Himbauan Agar Segera Melakukan Tindakan Pencegahan Terhadap Ancaman Malware Khususnya Ransomware Jenis WannaCRY
  • medium.com | Can files locked by WannaCry be decrypted: A technical analysis
  • id.wikipedia.org | Serangan perangkat pemeras WannaCry
  • Malware Protection Center – microsoft.com | Ransom: Win32/WannaCrypt
  • idsirtii.or.id | Press Release Pencegahan Ransomware Wannacry ID-SIRTII/CC | Apa itu WannaCry?
  • symantec.com | What you need to know about the WannaCry Ransomware | WannaCry Ransomware: Top 10 Ways Symantec Incident Response Can Help | WannaCry Ransomware: 6 Implications for the Insurance Industry | Data Center Security Server Advanced Stops WannaCry | WannaCry: Ransomware attacks show strong links to Lazarus group | WannaCry Ransomware: Information from Symantec
  • julismail.staff.telkomuniversity.ac.id | Ransomware wannacry


#Monitoring Dashboard WannaCrypt


Monitoring dashboard serangan Ransomware WannaCrypt secara interaktif dapat di lihat di URL: intel.malwaretech.com/WannaCrypt.html dari malwaretech.com

aaeaaqaaaaaaaa2aaaaajgrjmtm2yjdkltu4oditndlizi05nmi1ltbhmdnhowy4zwrmna

Source:

 


#msft-mmpc | blogs.technet.microsoft.com | May 12, 2017

WannaCrypt ransomware worm targets out-of-date systems


On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.

Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.

In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.

Attack vector

Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

WannaCrypt’s spreading mechanism is borrowed from well-known public SMB exploits, which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

We haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:

  • Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
  • Infection through SMB exploit when an unpatched computer is addressable from other infected machines

Dropper

The threat arrives as a dropper Trojan that has the following two components:

  1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
  2. The ransomware known as WannaCrypt

The dropper tries to connect the following domains using the API InternetOpenUrlA():

  • www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.

In other words, unlike in most malware infections, IT Administrators should NOT block these domains. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.

wannacrypt1

The threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:

Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”

wannacrypt2

WannaCrypt ransomware

The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”.

When run, WannaCrypt creates the following registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe”
  • HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”

It changes the wallpaper to a ransom message by modifying the following registry key:

  • HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”

It creates the following files in the malware’s working directory:

  • 00000000.eky
  • 00000000.pky
  • 00000000.res
  • 274901494632976.bat
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.bmp
  • @WanaDecryptor@.exe
  • b.wnry
  • c.wnry
  • f.wnry
  • m.vbs
  • msg\m_bulgarian.wnry
  • msg\m_chinese (simplified).wnry
  • msg\m_chinese (traditional).wnry
  • msg\m_croatian.wnry
  • msg\m_czech.wnry
  • msg\m_danish.wnry
  • msg\m_dutch.wnry
  • msg\m_english.wnry
  • msg\m_filipino.wnry
  • msg\m_finnish.wnry
  • msg\m_french.wnry
  • msg\m_german.wnry
  • msg\m_greek.wnry
  • msg\m_indonesian.wnry
  • msg\m_italian.wnry
  • msg\m_japanese.wnry
  • msg\m_korean.wnry
  • msg\m_latvian.wnry
  • msg\m_norwegian.wnry
  • msg\m_polish.wnry
  • msg\m_portuguese.wnry
  • msg\m_romanian.wnry
  • msg\m_russian.wnry
  • msg\m_slovak.wnry
  • msg\m_spanish.wnry
  • msg\m_swedish.wnry
  • msg\m_turkish.wnry
  • msg\m_vietnamese.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • TaskData\Tor\libeay32.dll
  • TaskData\Tor\libevent-2-0-5.dll
  • TaskData\Tor\libevent_core-2-0-5.dll
  • TaskData\Tor\libevent_extra-2-0-5.dll
  • TaskData\Tor\libgcc_s_sjlj-1.dll
  • TaskData\Tor\libssp-0.dll
  • TaskData\Tor\ssleay32.dll
  • TaskData\Tor\taskhsvc.exe
  • TaskData\Tor\tor.exe
  • TaskData\Tor\zlib1.dll
  • taskdl.exe
  • taskse.exe
  • u.wnry

WannaCrypt may also create the following files:

  • %SystemRoot%\tasksche.exe
  • %SystemDrive%\intel\<random directory name>\tasksche.exe
  • %ProgramData%\<random directory name>\tasksche.exe

It may create a randomly named service that has the following associated ImagePath: “cmd.exe /c “<malware working directory>\tasksche.exe””.

It then searches the whole computer for any file with any of the following file name extensions: .123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.

WannaCrypt encrypts all files it finds and renames them by appending .WNCRY to the file name. For example, if a file is named picture.jpg, the ransomware encrypts and renames the file to picture.jpg.WNCRY.

This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).

After completing the encryption process, the malware deletes the volume shadow copies by running the following command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

It then replaces the desktop background image with the following message:

wannacrypt-ransom-note

It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:

wannacrypt-ransom-executable

The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.

The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.

wannacrypt-decryptor

Spreading capability

The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.

wannacrypt-exploit

The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

wannacrypt7

wannacrypt8

Protection against the WannaCrypt attack

To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.

We recommend customers that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.

For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.

Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.

Monitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook.

Resources

Indicators of compromise

SHA1 of samples analyzed:

  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • e889544aff85ffaf8b0d0da705105dee7c97fe26

Files created:

  • %SystemRoot%\mssecsvc.exe
  • %SystemRoot%\tasksche.exe
  • %SystemRoot%\qeriuwjhrf
  • b.wnry
  • c.wnry
  • f.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • u.wnry
  • taskdl.exe
  • taskse.exe
  • 00000000.eky
  • 00000000.res
  • 00000000.pky
  • @WanaDecryptor@.exe
  • @Please_Read_Me@.txt
  • m.vbs
  • @WanaDecryptor@.exe.lnk
  • @WanaDecryptor@.bmp
  • 274901494632976.bat
  • taskdl.exe
  • Taskse.exe
  • Files with “.wnry” extension
  • Files with “.WNCRY” extension

Registry keys created:

  • HKLM\SOFTWARE\WanaCrypt0r\wd

 

Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya (@tanmayg)
Microsoft Malware Protection Center (@msftmmpc)

Source:

 


# BIRO HUMAS, KEMENTERIAN KOMUNIKASI DAN INFORMATIKA | kominfo.go.id | 13 Mei 2017

SIARAN PERS KEMENTERIAN KOMUNIKASI DAN INFORMATIKA
NO. 55/HM/KOMINFO/05/2017 
Tentang

Himbauan Agar Segera Melakukan Tindakan Pencegahan Terhadap Ancaman Malware Khususnya Ransomware Jenis WannaCRY


Seperti yang diberitakan di beberapa media baik di dalam ataupun luar negeri, telah terjadi fenomena serangan siber di beberapa negara, termasuk Indonesia. Direktur Jenderal Aplikasi Informatika, Semuel A. Pangerapan menyampaikan serangan siber ini bersifat tersebar dan masif serta menyerang critical resource (sumber daya sangat penting), maka serangan ini bisa dikategorikan teroris siber.

Di Indonesia, berdasarkan laporan yang diterima oleh Kominfo, serangan ditujukan ke Rumah Sakit Harapan Kita dan Rumah Sakit Dharmais.  Dengan adanya serangan siber ini kami minta agar masyarakat tetap tenang dan meningkatkan kehati hatian dalam berinteraksi di dunia siber.

Semmy menjelaskan serangan siber yang menyerang Indonesia berjenis ransomware. Ransomware adalah sebuah jenis malicious software atau malware yang menyerang komputer korban dengan cara mengunci komputer korban atau meng-encrypt semua file yang ada sehingga tidak bisa diakses kembali. Tahun ini sebuah jenis ransomware baru telah muncul dan diperkirakan bisa memakan banyak korban. Ransomware baru ini disebut Wannacry. Wannacry ransomware mengincar PC berbasis windows yang memiliki kelemahan terkait fungsi SMB yang dijalankan di komputer tersebut. Saat ini diduga serangan Wannacry sudah memakan banyak korban ke berbagai negara. Oleh karena itu penting untuk melakukan serangkaian tindakan pencegahan dan juga penanganan apabila terjadi insiden.

Infeksi dan Penyebaran :

Wannacry menginfeksi sebuah computer dengan meng-enkripsi seluruh file yang ada di komputer tersebut dan dengan menggunakan kelemahan yang ada pada layanan SMB bisa melakukan eksekusi perintah lalu menyebar ke computer windows lain pada jaringan yang sama. Semua komputer yang tersambung ke internet yang masih memiliki kelemahan ini apalagi komputer yang berada pada jaringan yang sama memiliki potensi terinfeksi terhadap ancaman Wannacry. Setiap komputer windows yang sudah terinfeksi akan mendapatkan tampilan seperti gambar page di atas.

Dari tampilan diketahui bahwa Wannacry meminta ransom atau dana tebusan agar file file yang dibajak dengan enkripsi bisa dikembalikan dalam keadaan normal lagi. Dana tembusan yang diminta adalah dengan pembayaran bitcoin yang setara dgn 300 dollar amerika. Wannacry memberikan alamat bitcoin untuk pembayarannya. Disamping itu juga memberikan deadline waktu terakhir pembayaran dan waktu dimana denda tebusan bisa naik jika belum dibayar juga.

Tindakan Pencegahan sebelum infeksi :

Lakukan beberapa langkah berikut untuk tindakan pencegahan dari terinfeksi malware ransomare jenis wannacry,

  1. Cabut Kabel LAN/Wifi
  2. Lakukan Backup Data
  3. Update Anti-Virus
  4. Update security pada windows anda dengan install Patch MS17-010 yang dikeluarkan oleh microsoct. Lihat : https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  5. Jangan mengaktifkan fungsi macros
  6. Non aktifkan fungsi SMB v1
  7. Block 139/445 & 3389 Ports
  8. Ulangi, selalu backup file file penting di komputer anda dan di simpan backupnya ditempat lain

Tindakan Setelah Infeksi :

Saat ini belum ada solusi yang paling cepat dan jitu untuk mengembalikan file file yang sudah terinfeksi wannacry. Akan tetapi memutuskan sambungan internet dari komputer yang terinfeksi akan menghentikan penyebaran wannacry ke komputer lain yang rentan vulnerable.

Sebagai tambahan yang sangat penting, ID-SIRTII menghimbau agar pada hari Senin besok dan kantor akan buka, mohon diwaspadai ancaman ini dan melakukan hal-hal sebagai berikut :

  • Agar PC-PC dan bentuk Komputer Personal dan Jaringan lainnya jangan terhubung ke LAN dan Internet dulu,
  • Terlebih dahulu lakukan backup data penting,
  • Pastikan software anti virus sudah update serta security patch yang disarankan oleh microsoft dilakukan terlebih dahulu.

Untuk konsultasi secara online bisa diakses ke : https://www.nomoreransom.org . Juga, apabila diperlukan informasi dan saran teknis, dapat di email : incident@idsirtii.or.id .

Kontak Person apabila diperlukan,

Direktur Keamanan Informasi : Aidil Cenderamata 0817758377
Wakil Ketua ID-SIRTII : Salahuddin (Didin) 0816945022

Jakarta, 13 Mei 2017

BIRO HUMAS, KEMENTERIAN KOMUNIKASI DAN INFORMATIKA

 

Source:

 


# Security Response | medium.com | May 15, 2017

Can files locked by WannaCry be decrypted: A technical analysis


The WannaCry ransomware worm has dominated the global news cycle since it started spreading on Friday.

The ransomware has now been reported in more than 150 countries around the globe, affecting hundreds of thousands of machines and more than 10,000 companies.

Symantec has already published a blog detailing much of what you need to know about this ransomware, and how to protect yourself. However, further investigation by our expert analysts who are trying to discover a decryption key to neutralize this threat has uncovered more technical details.

The WannaCry ransom note

How does this malware work

Analysis by our engineers indicates that the malware has two hardcoded public keys deployed as part of this ransomware: one is used for the main task of encrypting files, while the other is used to encrypt a small number of files for “demo decryption” — so the ransomware authors can “prove” to victims that they are able to decrypt the files. Let’s call them attacker public key and demo public key, which will be explained further later.

Once the malware is running on the victim machine it will generate a new unique RSA 2048 bit asymmetric key pair. This means that each victim needs their own decryption key.

Once the new unique key pair is generated, the malware exports the victim’s public RSA key to a local file called 00000000.pky using CryptExportKey API. Next, it exports the victim’s private RSA key and encrypts it with the hardcoded attacker public key from the malware and stores it as 00000000.eky on disk. Now that the key has been stored safely, the malware uses CryptDestroyKey API to destroy the private key in memory, which limits the time for recovering private key parameters from memory by any other tool. Unfortunately, the lifetime of private victim RSA keys is so limited that there is no good option to recover it later once the encryption has happened.

Now the malware will enumerate all interesting files based on their extension. If the original file size is less than 209,715,200 bytes, or a configurable limit of files is not yet reached, then the malware will use the demo RSA public key, which is hardcoded in the malware. For this key the private key is actually known and can be used to decrypt the content. For all the other files the victim’s RSA public key, for which the private key has been securely encrypted and stored locally, will be used.

This means the ransomware now generates a new 16-byte symmetric key using the CryptGenRandom API for each file it wants to encrypt. This symmetric key is encrypted using one of the available RSA public keys and stored together with a copy of the original file in encrypted form. The use of the demo key allows the attackers to decrypt a few files to prove that they are the actual authors. Unfortunately, this does not guarantee that they actually have the required RSA private key to decrypt the victim’s private key that was stored locally.

 

Not all files are unrecoverable

This explains why there have been claims that some tools are available to decrypt all the files locked by WannaCry. Unfortunately, from our analysis of how this ransomware works, it appears that only a few files encrypted with the demo key are decryptable by the tool.

But there might be some hope. Files stored in Desktop, My Documents, or on any removable disks in the computer at the time of the infection are overwritten with randomly generated data and deleted. This means it is not possible to recover them with a file undelete or disk recovery tool.

However, due to possible weaknesses in the malware it is possible to recover other encrypted files on the system when they were stored outside of these three locations, using an undelete of disk recovery tool, as most of the files are moved to a temporary folder and then normally deleted, without being overwritten by a wiper. However, the recovery ratio may vary from system to system because the deleted file may be overwritten by other disk operations.

In short, it should be possible to recover some of the files that have been encrypted with WannaCrypt without paying the ransom, however, the recovery of all files without a backup does not seem possible at the present time.

As a security note, be wary of any services offering to decrypt all files etc…, as these decryptors could very well be malware in disguise.

We have verified the file recoverability with a disk recovery tool named Disk Drill, the screenshot below shows the deleted files being discovered and recovered by this tool:

Older software may reveal key

Computers running exceptionally old versions of XP may actually be able to generate a decryption key. This is due to a flaw that exists in Windows XP versions SP1 and SP2, and which was patched way back in 2008 in Windows XP SP3, so the percentage of computers still running those versions of the operating system is tiny.

However, those that do still have computers running those systems could exploit a flaw in its pseudo-random number generator (PRNG) that allows someone to predict encryption keys that would be created in the future and, crucially, reveal keys that had been generated in the past.

An individual could exploit this flaw to reveal the decryption key in memory if the malware is still running, and hence free their files from the grip of WannaCry.

UPDATE: Researcher Adrien Guinet has used a different XP flaw to recover keys from memory: https://github.com/aguinet/wannakey

There are claims that the same technique also works on Windows 7. However in our original analysis we determined that would only work in a laboratory setting, for example where:

– few files are encrypted

– the tool is already available for execution

– the tool is executed immediately post infection

The tool is searching memory for key components however in multiple tests we found that these key components were overwritten.

Despite these limitations, there are no negative side-effects for victims who wish to try out the tool.

Heatmap shows how WannaCry spread around the world

Symantec’s investigations into the WannaCry ransomware are continuing. Keep an eye on the Threat Intel Twitter account for up-to-the-minute updates, and visit the Security Response blog for more information on this threat.

Source:

 


#id.wikipedia.org | Mei 2017

Serangan Perangkat Pemeras WannaCry


Serangan perangkat pemeras WannaCry adalah sebuah perangkat tebusan. Pada Mei 2017, serangan siber skala besar menggunakan perangkat ini diluncurkan, menginfeksi lebih dari 75.000 komputer di 99 negara, menuntut pembayaran tebusan dalam 20 bahasa.

Serangan ini mengenai Telefónica dan beberapa perusahaan besar lainnya di Spanyol, serta sebagai dari National Health Service (NHS),[3] FedEx dan Deutsche Bahn.[4][5][6] Sasaran lain di setidaknya 99 negara juga melaporkan penyerangan sekitar waktu yang sama.[7][8] Lebih dari 1.000 komputer di Kementerian Urusan Dalam Negeri Rusia, Kementerian Darurat Rusia dan perusahaan telekomunikasi Rusia MegaFon, telah dilaporkan terinfeksi.[9]

WannaCry diyakini menggunakan exploit EternalBlue, diduga dikembangkan oleh Badan Keamanan Nasional Amerika Serikat untuk menyerang komputer yang menjalankan sistem operasi Microsoft Windows.[10] Meskipun tambalan untuk mengatasi kerentanan ini telah dikeluarkan pada tanggal 14 Maret 2017, keterlambatan dalam penerapan pembaruan keamanan membuat beberapa pengguna dan organisasi tetap dalam kondisi rentan. Di Indonesia, perangkat ini menyerang sejumlah komputer di berbagai rumah sakit umum dengan permintaan uang tebusan Rp 4.000.000 untuk mengembalikan komputer ke sediakala. [11]

Serangan perangkat pemeras WannaCry
Tanggal 12 Mei 2017 – 15 Mei 2017
Lokasi Seluruh dunia
Jenis Serangan siber dengan perangkat tebusan
Juga dikenal sebagai WannaCrypt, WanaCrypt0r, WCRY
Tema Perangkat pemeras mengenkripsi diska keras dengan permintaan $300 – $600
Penyebab Eksploitasi EternalBlue
Hasil Lebih dari 200.000 korban dan lebih dari 230.000 komputer terinfeksi[1][2]

Latar belakang

Vektor infeksi yang diklaim, EternalBlue, dirilis oleh kelompok peretas The Shadow Brokers pada tanggal 14 April 2017[12][13] bersama dengan alat lain yang tampaknya bocor dari Equation Group, diyakini merupakan bagian dari Badan Keamanan Nasional Amerika Serikat.

EternalBlue memanfaatkan kerentanan MS17-010[14] dalam implementasi protokol Server Message Block (SMB) Microsoft. Microsoft telah merilis sebuah “critical” advisory, bersamaan dengan pembaruan tambalan untuk mengatasi kerentanan sebulan sebelumnya, pada tanggal 14 Maret 2017.[14] Tambalan ini memperbaiki beberapa versi workstation dari sistem operasi Microsoft Windows, termasuk Windows Vista dan Windows 8.1, serta versi server dan embedded seperti Windows Server 2008 dan Windows Embedded POSReady 2009, namun bukan Windows XP yang lebih tua, menurut Microsoft.[14]

Mulai 21 April 2017, periset keamanan mulai melaporkan bahwa komputer dengan backdoor DoublePulsar terpasang berada di puluhan ribu.[15] Pada 25 April, laporan memperkirakan jumlah komputer yang terinfeksi bisa mencapai beberapa ratus ribu, dengan jumlah bervariasi antara 55.000 sampai hampir 200.000, tumbuh setiap hari.[16][17]

Serangan siber

Pada tanggal 12 Mei 2017, WannaCry mulai mempengaruhi komputer di seluruh dunia.[19] Infeksi awal mungkin disebabkan oleh kerentanan pertahanan jaringan atau serangan pengelabuan tombak yang sangat bagus.[20] Saat dieksekusi, malware pertama kali memeriksa “kill switch” nama domain. Jika tidak ditemukan, maka ransomware mengenkripsi data komputer,[21][22][23] kemudian mencoba untuk memanfaatkan kerentanan SMB untuk menyebar ke komputer acak di Internet,[24] dan “lateral” ke komputer pada Jaringan wilayah lokal yang sama.[25] Seperti pada perangkat pemeras modern lainnya, muatan menampilkan pesan yang menginformasikan pengguna bahwa file telah dienkripsi, dan menuntut pembayaran sekitar $300 dalam bitcoin dalam tiga hari atau $600 dalam waktu tujuh hari.[22][26]

800px-countries_initially_affected_in_wannacry_ransomware_attack

Negara awalnya terpengaruh

Kerentanan Windows bukanlah cacat zero-day, tapi satu di antaranya Microsoft menyediakan tambalan keamanan pada tanggal 14 Maret 2017,[14] Hampir dua bulan sebelum serangan. Tambalan ke protokol Server Message Block (SMB) yang digunakan oleh Windows.[27][28] Organisasi yang kekurangan tambalan keamanan ini terpengaruh karena alasan ini, walaupun sejauh ini tidak ada bukti bahwa ada yang secara khusus ditargetkan oleh pengembang perangkat pemeras.[27] Setiap organisasi masih menjalankan Windows XP lama[29] sangat berisiko tinggi karena sampai 13 Mei,[30] tidak ada tambalan keamanan yang telah dirilis sejak April 2014.[31] Setelah serangan tersebut, Microsoft merilis tambalan keamanan untuk Windows XP.[30]

Menurut Wired, sistem yang terkena dampak juga akan dipasang backdoor DoublePulsar; Ini juga perlu dihapus saat sistem didekripsi.[32]

Menurut laporan, tiga atau lebih alamat kode keras bitcoin, atau “dompet”, digunakan untuk menerima korban pembayaran. Seperti semua dompet itu, transaksi dan saldo mereka bisa diakses publik bukan pemilik dompetnya. Untuk melacak pembayaran tebusan secara waktu, sebenarnya Twitterbot yang mengawasi masing-masing dari ketiga dompet ini telah disiapkan.[33] Pada 14 Mei 2017 total $33.319,59 telah dibayarkan.

Varian

Pada tanggal 14 Mei, dua varian tambahan terdeteksi. Salah satu varian ini memiliki kill switch baru yang segera terdaftar, sementara yang lainnya tidak memiliki kill switch namun memiliki muatan rusak yang mencegah enkripsi berkas.[34]

Dampak

Kampanye uang tebusan belum pernah terjadi sebelumnya menurut skala Europol.[35] Serangan tersebut mempengaruhi banyak rumah sakit Dinas Kesehatan di Inggris dan Skotlandia,[36] dan sampai 70.000 perangkat — termasuk komputer, pemindai MRI, lemari es penyimpanan darah dan peralatan teater — mungkin telah terpengaruh.[37] Pada tanggal 12 Mei, beberapa layanan NHS harus mematikan keadaan darurat yang tidak penting, dan beberapa ambulans dialihkan.[4][38] Pada tahun 2016, ribuan komputer di 42 kepercayaan NHS terpisah di Inggris dilaporkan masih menjalankan Windows XP.[29] Rumah sakit NHS di Wales dan Irlandia Utara tidak terpengaruh oleh serangan tersebut.[39][4]

Nissan Motor Manufacturing UK di Tyne and Wear, salah satu pabrik manufaktur mobil paling produktif di Eropa, menghentikan produksi setelah perangkat pemeras menginfeksi beberapa sistem mereka. Renault juga menghentikan produksi di beberapa lokasi dalam upaya menghentikan penyebaran perangkat pemeras tersebut.[40][41]

Dampak serangan bisa jadi jauh lebih buruk jika tidak ada kill-switch yang dibangun oleh pencipta malware tersebut.[42][43]

Ahli keamanan Cybersecurity Ori Eisen mengatakan bahwa serangan tersebut tampaknya merupakan barang “tingkat rendah”, dengan tuntutan uang tebusan sebesar $300 dan menyatakan bahwa hal yang sama dapat dilakukan pada infrastruktur penting, seperti pembangkit tenaga nuklir, bendungan atau sistem kereta api.[44]

Microsoft juga telah merilis tambalan untuk memperbaiki eksploitasi yang digunakan oleh perangkat pemeras pada sistem operasi Windows XP, tandingan 64-bit, Windows Server 2003, dan Windows 8, meskipun semuanya tidak didukung selama masa itu.

Daftar organisasi yang terkena dampak

Dalam urutan abjad:

Referensi

  1. ^ “Ransomware attack still looms in Australia as Government warns WannaCry threat not over”. Diakses tanggal 15 May 2017.
  2. ^ Cameron, Dell. “Today’s Massive Ransomware Attack Was Mostly Preventable; Here’s How To Avoid It”. Diakses tanggal 13 May 2017.
  3. ^ Marsh, Sarah (12 May 2017). “The NHS trusts hit by malware – full list”. Diakses tanggal 12 May 2017.
  4. ^ a b c d e “NHS cyber-attack: GPs and hospitals hit by ransomware”. BBC News (dalam en-GB). 2017-05-12. Diakses tanggal 2017-05-12. CS1 maint: Unrecognized language (link)
  5. ^ Hern, Alex; Gibbs, Samuel (2017-05-12). “What is ‘WanaCrypt0r 2.0’ ransomware and why is it attacking the NHS?”. The Guardian (dalam en-GB). ISSN 0261-3077. Diakses tanggal 2017-05-12. CS1 maint: Unrecognized language (link)
  6. ^ “Statement on reported NHS cyber attack”. digital.nhs.uk (dalam en-GB). Diakses tanggal 2017-05-12. CS1 maint: Unrecognized language (link)
  7. ^ Cox, Joseph (2017-05-12). “A Massive Ransomware ‘Explosion’ Is Hitting Targets All Over the World”. Motherboard (dalam en-us). Diakses tanggal 2017-05-12. CS1 maint: Unrecognized language (link)
  8. ^ a b Larson, Selena (2017-05-12). “Massive ransomware attack hits 99 countries”. CNN. Diakses tanggal 2017-05-12.
  9. ^ “Ransomware virus plagues 75k computers across 99 countries”. RT International (dalam en-US). Diakses tanggal 2017-05-12.
  10. ^ Larson, Selena (2017-05-12). “Massive ransomware attack hits 74 countries”. CNNMoney. Diakses tanggal 2017-05-12.
  11. ^ 15:58, 12 May 2017 at; tweet_btn(), John Leyden. “WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain”. theregister.co.uk. Diakses tanggal 12 May 2017.
  12. ^ Menn, Joseph (17 February 2015). “Russian researchers expose breakthrough U.S. spying program”. Reuters. Diakses tanggal 24 November 2015.
  13. ^ “NSA-leaking Shadow Brokers just dumped its most damaging release yet”. Ars Technica (dalam en-us). Diakses tanggal 15 April 2017.
  14. ^ a b c d “Microsoft Security Bulletin MS17-010 – Critical”. technet.microsoft.com. Diakses tanggal 13 May 2017.
  15. ^ Goodin, Dan. “>10,000 Windows computers may be infected by advanced NSA backdoor”. ARS Technica (dalam en-US). Diakses tanggal 2017-05-14.
  16. ^ Goodin, Dan. “NSA backdoor detected on >55,000 Windows boxes can now be remotely removed”. ARS Technica (dalam en-US). Diakses tanggal 2017-05-14.
  17. ^ Broersma, Matthew. “NSA Malware ‘Infects Nearly 200,000 Systems'”. Silicon (dalam en-US). Diakses tanggal 2017-05-14.
  18. ^ “Cyber-attack: Europol says it was unprecedented in scale”. 13 May 2017 – via http://www.bbc.com.
  19. ^ Newman, Lily Hay. “The Ransomware Meltdown Experts Warned About Is Here”. Wired.com. Diakses tanggal 13 May 2017.
  20. ^ Goodin, Dan. “An NSA-derived ransomware worm is shutting down computers worldwide”. ARS Technica (dalam en-US). Diakses tanggal 2017-05-14.
  21. ^ “Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency”. The Telegraph (dalam en-GB). Diakses tanggal 12 May 2017.
  22. ^ a b “What you need to know about the WannaCry Ransomware”. Symantec Security Response. Diakses tanggal 14 May 2017.
  23. ^ Bilefsky, Dan; Perlroth, Nicole (12 May 2017). “Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool”. The New York Times. ISSN 0362-4331. Diakses tanggal 12 May 2017.
  24. ^ Clark, Zammis. “The worm that spreads WanaCrypt0r”. Malwarebytes Labs. malwarebytes.com. Diakses tanggal 13 May 2017.
  25. ^ Samani, Raj. “An Analysis of the WANNACRY Ransomware outbreak”. McAfee. Diakses tanggal 13 May 2017.
  26. ^ Thomas, Andrea; Grove, Thomas; Gross, Jenny (2017-05-13). “More Cyberattack Victims Emerge as Agencies Search for Clues”. Wall Street Journal. ISSN 0099-9660. Diakses tanggal 2017-05-14.
  27. ^ a b “WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit”. eWeek. Diakses tanggal 13 May 2017.
  28. ^ “WannaCry: BSI ruft Betroffene auf, Infektionen zu melden” (dalam de-DE). heise online. Diakses tanggal 14 May 2017.
  29. ^ a b “NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP”. Motherboard. Diakses tanggal 13 May 2017.
  30. ^ a b Kesalahan pengutipan: Tag <ref> tidak sah; tidak ditemukan teks untuk ref bernama microsoftreleases
  31. ^ “Windows XP End of Support”. http://www.microsoft.com. Diakses tanggal 13 May 2017.
  32. ^ Kesalahan pengutipan: Tag <ref> tidak sah; tidak ditemukan teks untuk ref bernama auto
  33. ^ Collins, Keith. “Watch as these bitcoin wallets receive ransomware payments from the global cyberattack”. Quartz. Diakses tanggal 14 May 2017.
  34. ^ “WannaCry — New Variants Detected!”. blog.comae.io.
  35. ^ Kesalahan pengutipan: Tag <ref> tidak sah; tidak ditemukan teks untuk ref bernama :3
  36. ^ “Global cyberattack strikes dozens of countries, cripples U.K. hospitals”. cbsnews.com. Diakses tanggal 13 May 2017.
  37. ^ Ungoed-Thomas, Jon; Henry, Robin; Gadher, Dipesh (14 May 2017). “Cyber-attack guides promoted on YouTube”. The Sunday Times. Diakses tanggal 14 May 2017.
  38. ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). “Massive ransomware cyber-attack hits 74 countries around the world”. The Guardian. London. Diakses tanggal 12 May 2017.
  39. ^ a b c Kesalahan pengutipan: Tag <ref> tidak sah; tidak ditemukan teks untuk ref bernama guardian-nhs
  40. ^ Sharman, Jon (13 May 2017). “Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France”. http://www.independent.co.uk. Diakses tanggal 13 May 2017.
  41. ^ Rosemain, Mathieu; Le Guernigou, Yann; Davey, James (13 May 2017). “Renault stops production at several plants after ransomware cyber attack as Nissan also hacked”. http://www.mirror.co.uk. Diakses tanggal 13 May 2017.
  42. ^ “Lucky break slows global cyberattack; what’s coming could be worse”. Diakses tanggal 14 May 2017.
  43. ^ Helmore, Edward (13 May 2017). “Ransomware attack reveals breakdown in US intelligence protocols, expert says”. The Guardian. Diakses tanggal 14 May 2017.
  44. ^ “The Latest: Researcher who helped halt cyberattack applauded”. Star Tribune. Diakses tanggal 14 May 2017.
  45. ^ “Andhra police computers hit by cyberattack”. The Times of India. 13 May 2017. Diakses tanggal 13 May 2017.
  46. ^ “Atacul cibernetic global a afectat și Uzina Dacia de la Mioveni. Renault a anunțat că a oprit producția și în Franța”. Pro TV (dalam Romanian). 13 May 2017.
  47. ^ “Hackers demand $54K in Cambrian College ransomware attack”. CBC.ca. Diakses tanggal 16 May 2017.
  48. ^ a b Mimi Lau (14 May 2017). “Chinese police and petrol stations hit by ransomware attack”. South China Morning Post. Diakses tanggal 15 May 2017.
  49. ^ “Korean gov’t computers safe from WannaCry attack”. The Korea Herald. Diakses tanggal 15 May 2017.
  50. ^ “Weltweite Cyberattacke trifft Computer der Deutschen Bahn”. Frankfurter Allgemeine Zeitung (dalam German). 13 May 2017. Diakses tanggal 13 May 2017.
  51. ^ “Hackerský útok zasiahol aj Fakultnú nemocnicu v Nitre”. etrend.sk (dalam Slovak). 15 May 2017. Diakses tanggal 15 May 2017.
  52. ^ “What is Wannacry and how can it be stopped?”. Financial Times. 12 May 2017. Diakses tanggal 13 May 2017.
  53. ^ “เซิร์ฟเวอร์เกม Blade & Soul ของ Garena ประเทศไทยถูก WannaCrypt โจมตี” (dalam Thai). blognone.com. 13 May 2017. Diakses tanggal 14 May 2017.
  54. ^ “日立製作所 サイバー攻撃で社内システム一部に障害”. NHK News Web (dalam Japanese). 15 May 2017. Diakses tanggal 15 May 2017.
  55. ^ “Instituto Nacional de Salud, entre víctimas de ciberataque mundial”. El Tiempo (dalam Spanish). 13 May 2017.
  56. ^ “Researcher ‘accidentally’ stops spread of unprecedented global cyberattack”. ABC News. Diakses tanggal 13 May 2017.
  57. ^ “UPDATE. Atac cibernetic la MAE. Cine sunt hackerii de elită care au falsificat o adresă NATO”. Libertatea (dalam Romanian). 12 May 2017.
  58. ^ “Ontario health ministry on high alert amid global cyberattack”. Toronto Star.
  59. ^ “LATAM Airlines también está alerta por ataque informático”. Fayerwayer. Diakses tanggal 13 May 2017.
  60. ^ “Massive cyber attack creates chaos around the world”. news.com.au. Diakses tanggal 13 May 2017.
  61. ^ a b “Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France”. The Independent. 13 May 2017. Diakses tanggal 13 May 2017.
  62. ^ a b c “Ransomware WannaCry Surfaces In Kerala, Bengal: 10 Facts”. New Delhi Television Limited (NDTV). Diakses tanggal 15 May 2017.
  63. ^ Sanjana Nambiar (16 May 2017). “Hit by WannaCry ransomware, civic body in Mumbai suburb to take 3 more days to fix computers”. Hindustn Times. Diakses tanggal 17 May 2017.
  64. ^ “PT Portugal alvo de ataque informático internacional”. Observador (dalam Portuguese). 12 May 2017. Diakses tanggal 13 May 2017.
  65. ^ “Parkeerbedrijf Q-Park getroffen door ransomware-aanval”. Nu.nl (dalam Dutch). 13 May 2017. Diakses tanggal 14 May 2017.
  66. ^ “France’s Renault hit in worldwide ‘ransomware’ cyber attack” (dalam Spanish). France 24. 13 May 2017. Diakses tanggal 13 May 2017.
  67. ^ a b c d “Global cyber attack: A look at some prominent victims” (dalam Spanish). elperiodico.com. 13 May 2017. Diakses tanggal 14 May 2017.
  68. ^ “Компьютеры РЖД подверглись хакерской атаке и заражены вирусом”. Radio Free Europe/Radio Liberty. Diakses tanggal 13 May 2017.
  69. ^ a b “WannaCry no Brasil e no mundo”. O Povo (dalam Portuguese). 13 May 2017. Diakses tanggal 13 May 2017.
  70. ^ Amjad Shacker [AmjadShacker] (14 May 2017). “⁥⁥” (Tweet).
  71. ^ Kesalahan pengutipan: Tag <ref> tidak sah; tidak ditemukan teks untuk ref bernama vidal
  72. ^ “Un ataque informático masivo con ‘ransomware’ afecta a medio mundo” (dalam Spanish). elperiodico.com. 12 May 2017. Diakses tanggal 13 May 2017.
  73. ^ Balogh, Csaba (12 May 2017). “Ideért a baj: Magyarországra is elért az óriási kibertámadás”. HVG (dalam Hungarian). Diakses tanggal 13 May 2017.
  74. ^ “Timrå kommun drabbat av utpressningsattack” (dalam Swedish). Sveriges Television. 13 May 2017. Diakses tanggal 15 May 2017.
  75. ^ “Virus Ransomware Wannacry Serang Perpustakaan Universitas Jember”. Tempo (dalam Indonesian). 16 May 2017. Diakses tanggal 17 May 2017.
  76. ^ “Il virus Wannacry arrivato a Milano: colpiti computer dell’università Bicocca”. la Repubblica (dalam Italian). 12 May 2017. Diakses tanggal 13 May 2017.
  77. ^ “Some University of Montreal computers hit with WannaCry virus”. The Globe and Mail. May 16, 2017. Diakses tanggal 16 May 2017.

Source:

 


#Malware Protection Center | microsoft.com | May 12, 2017

Ransom: Win32/WannaCrypt


severeAlso detected as: WORM_WCRY.A (Trend Micro), Ransom_WCRY.I (Trend Micro),Trojan.Ransom.WannaCryptor.H (BitDefender), Trojan/Win32.WannaCryptor (AhnLab),Ransom.Wannacry (Symantec), Trojan-Ransom.WannaCry (Ikarus), Win32/Exploit.CVE-2017-0147.A trojan (ESET), Win32/Filecoder.WannaCryptor.D trojan (ESET), Ransom-O (McAfee),Troj/Ransom-EMG (Sophos), Trojan horse FileCryptor.OYP (AVG), W32/Wanna.D!tr (Fortinet),WannaCry (other), Ransom:Win32/WannaCrypt
Alert level: Severe

Summary

Windows Defender AV detects and removes this threat.

This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. We remind all customers to keep computers up-to-date.

The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. The exploit does not affect Windows 10 PCs.

For more information about this ransomware (which is also known as WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, or WCRY), you can read the following entries on the Windows Security blog and Microsoft Security Response Center:

You can also read more on our ransomware pageFind out ways that malware can get on your PC.

What to do now

There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that paying the ransom will give you access to your files.

If you’ve already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Use cloud protection

Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.

To check if it’s running, go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Get more help

Technical Information

Threat behavior

Arrival

This threat arrives as a dropper Trojan that has two components:

  • A component that attempts to exploit the CVE-2017-0145 vulnerability in other computers
  • Ransomware component

It tries to connect to the following domains:

  • www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

If this threat successfully connects to the domains, it stops running. Because of this, IT administrators should NOT block these domains. This threat is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.

This Trojan dropper then creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:

Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”

This threat uses publicly available exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. The exploit code used is designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this exploit attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

Installation

When run, the ransomware component creates the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: “<random string>”
With data: “<malware working directory>\tasksche.exe”

In subkey: HKLM\SOFTWARE\WanaCrypt0r
Sets value: “wd”
With data: “<malware working directory>”

It also modifies the following registry entry to change your computer’s wallpaper:

In subkey: HKCU\Control Panel\Desktop
Sets value: “Wallpaper”
With data: “<malware working directory>\@WanaDecryptor@.bmp”

It creates the following files in the malware’s working directory:

  • 00000000.eky
  • 00000000.pky
  • 00000000.res
  • 274901494632976.bat
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.bmp
  • @WanaDecryptor@.exe
  • b.wnry
  • c.wnry
  • f.wnry
  • m.vbs
  • msg\m_bulgarian.wnry
  • msg\m_chinese (simplified).wnry
  • msg\m_chinese (traditional).wnry
  • msg\m_croatian.wnry
  • msg\m_czech.wnry
  • msg\m_danish.wnry
  • msg\m_dutch.wnry
  • msg\m_english.wnry
  • msg\m_filipino.wnry
  • msg\m_finnish.wnry
  • msg\m_french.wnry
  • msg\m_german.wnry
  • msg\m_greek.wnry
  • msg\m_indonesian.wnry
  • msg\m_italian.wnry
  • msg\m_japanese.wnry
  • msg\m_korean.wnry
  • msg\m_latvian.wnry
  • msg\m_norwegian.wnry
  • msg\m_polish.wnry
  • msg\m_portuguese.wnry
  • msg\m_romanian.wnry
  • msg\m_russian.wnry
  • msg\m_slovak.wnry
  • msg\m_spanish.wnry
  • msg\m_swedish.wnry
  • msg\m_turkish.wnry
  • msg\m_vietnamese.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • TaskData\Tor\libeay32.dll
  • TaskData\Tor\libevent-2-0-5.dll
  • TaskData\Tor\libevent_core-2-0-5.dll
  • TaskData\Tor\libevent_extra-2-0-5.dll
  • TaskData\Tor\libgcc_s_sjlj-1.dll
  • TaskData\Tor\libssp-0.dll
  • TaskData\Tor\ssleay32.dll
  • TaskData\Tor\taskhsvc.exe
  • TaskData\Tor\tor.exe
  • TaskData\Tor\zlib1.dll
  • taskdl.exe
  • taskse.exe
  • u.wnry

It may also create the following files:

It may create a randomly named service that has the following associated ImagePath:

“cmd.exe /c “<malware working directory>\tasksche.exe””

Payload

Encrypts files

This threat searches for and encrypts files with the following filename extensions:

.123  .jpeg  .rb
.602  .jpg  .rtf
.doc  .js  .sch
 .3dm  .jsp  .sh
 .3ds  .key  .sldm
 .3g2  .lay  .sldm
 .3gp  .lay6  .sldx
 .7z  .ldf  .slk
 .accdb  .m3u  .sln
 .aes  .m4u  .snt
 .ai  .max  .sql
 .ARC  .mdb  .sqlite3
 .asc  .mdf  .sqlitedb
 .asf  .mid  .stc
 .asm  .mkv  .std
 .asp  .mml  .sti
 .avi  .mov  .stw
 .backup  .mp3  .suo
 .bak  .mp4  .svg
 .bat  .mpeg  .swf
 .bmp  .mpg  .sxc
 .brd  .msg  .sxd
 .bz2  .myd  .sxi
 .c  .myi  .sxm
 .cgm  .nef  .sxw
 .class  .odb  .tar
 .cmd  .odg  .tbk
 .cpp  .odp  .tgz
 .crt  .ods  .tif
 .cs  .odt  .tiff
 .csr  .onetoc2  .txt
 .csv  .ost  .uop
 .db  .otg  .uot
 .dbf  .otp  .vb
 .dch  .ots  .vbs
 .der”  .ott  .vcd
 .dif  .p12  .vdi
 .dip  .PAQ  .vmdk
 .djvu  .pas  .vmx
 .docb  .pdf  .vob
 .docm  .pem  .vsd
 .docx  .pfx  .vsdx
 .dot  .php  .wav
 .dotm  .pl  .wb2
 .dotx  .png  .wk1
 .dwg  .pot  .wks
 .edb  .potm  .wma
 .eml  .potx  .wmv
 .fla  .ppam  .xlc
 .flv  .pps  .xlm
 .frm  .ppsm  .xls
 .gif  .ppsx  .xlsb
 .gpg  .ppt  .xlsm
 .gz  .pptm  .xlsx
 .h  .pptx  .xlt
 .hwp  .ps1  .xltm
 .ibd  .psd  .xltx
 .iso  .pst  .xlw
 .jar  .rar  .zip
 .java  .raw  

It appends .WNCRY to the filename of encrypted files. For example:

  • file.docx is renamed to file.docx.WNCRY
  • file.pdf is renamed to file.pdf.WNCRY

This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).

After completing the encryption process, the malware deletes the volume shadow copies. It then replaces the desktop background image with the following message:

wannacrypt-ransom-note

It also runs an executable showing a ransomnote, which indicates a $300 ransom as well as a timer:

wannacrypt-ransom-executable

The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.

The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.

Spreads to unpatched computers

To spread, this threat uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. The exploit does not affect Windows 10 PCs.

The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel.

The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

SHA1s used in this analysis:

  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
  • bd44d0ab543bf814d93b719c24e90d8dd7111234
  • 87420a2791d18dad3f18be436045280a4cc16fc4
  • e889544aff85ffaf8b0d0da705105dee7c97fe26

Analysis by: Andrea Lelli

Symptoms

The following can indicate that you have this threat on your PC:

  • The file name extension .WNCRY is appended to your files
  • You see the following files:
    • 00000000.eky
    • 00000000.pky
    • 00000000.res
    • 274901494632976.bat
    • @Please_Read_Me@.txt
    • @WanaDecryptor@.bmp
    • @WanaDecryptor@.exe
    • b.wnry
    • c.wnry
    • f.wnry
    • m.vbs
    • msg\m_bulgarian.wnry
    • msg\m_chinese (simplified).wnry
    • msg\m_chinese (traditional).wnry
    • msg\m_croatian.wnry
    • msg\m_czech.wnry
    • msg\m_danish.wnry
    • msg\m_dutch.wnry
    • msg\m_english.wnry
    • msg\m_filipino.wnry
    • msg\m_finnish.wnry
    • msg\m_french.wnry
    • msg\m_german.wnry
    • msg\m_greek.wnry
    • msg\m_indonesian.wnry
    • msg\m_italian.wnry
    • msg\m_japanese.wnry
    • msg\m_korean.wnry
    • msg\m_latvian.wnry
    • msg\m_norwegian.wnry
    • msg\m_polish.wnry
    • msg\m_portuguese.wnry
    • msg\m_romanian.wnry
    • msg\m_russian.wnry
    • msg\m_slovak.wnry
    • msg\m_spanish.wnry
    • msg\m_swedish.wnry
    • msg\m_turkish.wnry
    • msg\m_vietnamese.wnry
    • r.wnry
    • s.wnry
    • t.wnry
    • TaskData\Tor\libeay32.dll
    • TaskData\Tor\libevent-2-0-5.dll
    • TaskData\Tor\libevent_core-2-0-5.dll
    • TaskData\Tor\libevent_extra-2-0-5.dll
    • TaskData\Tor\libgcc_s_sjlj-1.dll
    • TaskData\Tor\libssp-0.dll
    • TaskData\Tor\ssleay32.dll
    • TaskData\Tor\taskhsvc.exe
    • TaskData\Tor\tor.exe
    • TaskData\Tor\zlib1.dll
    • taskdl.exe
    • taskse.exe
    • u.wnry
    • %SystemRoot% \tasksche.exe
    • %SystemDrive% \intel\<random directory name>\tasksche.exe
    • %ProgramData% \<random directory name>\tasksche.exe
  • You see the following messages and ransom note:

wannacrypt-ransom-note

wannacrypt-ransom-executable

Source:

 


#idsirtii.or.id | 14 May 2017

Apa itu WannaCry?


Akhir-akhir ini telah menyebar dengan luas ransomware baru. Ransomware ini menyerang secara global baik kepada sektor swasta maupun pemerintah. Malware ini teridedntifikasi sebagai varian ransomware yang dikenal sebagai WannaCry, Wanna Decrypt0r, WannaCryptor, WCRY.

Jika telah terkena malware ini, maka penyerang akan meminta uang dalam bentuk bitcoin yang harus dibayarkan melalui link yang telah ditentukan. Kisaran uang yang dibayar sekitar 300 Dolar Amerika.

Sebagaimana telaha disebutkan diawal bahwa malware ini menyebar secara global, maka malware ini juga teridentifikasi dalam berbagai bahasa; Inggris, Cihna, Spanyol, Philiphina termasuk Indonesia. Berikut di bawah ini adalah peta penyebaran ransomware WannaCry

wannacrypt-ransom-executable

Bagaimana kita bisa terinfeksi ransoware WannaCry?

Saat ini WCry tersebar melalui Exploit NSA yang bocor yang baru-baru ini dirilis oleh kelompok Shadow Brokers. Peneliti dari Prancis, Kaffine percaya bahwa WCry menyebar melalui exploit ETERNALBLUE.

ETERNALBLUE adalah vulnerability pada protocol SMBv1. Exploit ini menyerang sistem yang:

  1. Memiliki protocol SMBv1
  2. Bisa diakses melalui internet
  3. Belum melakukan update patch MS17-010

Saat malware ini menyerang satu computer, maka akan dengan cepat menyerang computer yang lainnya yang berada pada satu jaringan.

Bagaimana cara agar kita terlindungi dari serangan tersebut?

  1. Melakukan backup secara berkala
  2. Melakukan patching pada service SMBv1 (sudah tersedia 2 bulan yang lalu)

Berikut link untuk update patch tersebut

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  1. Jangan membuka file yeng mencurigakan dari email
  2. Install anti virus dan Internet Security

Jika sudah terkena WCry maka berikut adalah tindakan yang sebaiknya dilakukan:

  1. Disable SMBv1
  2. Block 139/445 & 3389 Ports
  3. Melakukan patching pada service SMBv1
  4. Bisa coba kunjungi situs ini untuk pertolongan pertama

https://www.nomoreransom.org/crypto-sheriff.php

Sumber:

Source:

 


#idsirtii.or.id | Senin, 15 May 2017

Press Release Pencegahan Ransomware Wannacry

ID-SIRTII/CC


 

Himbauan agar segera melakukan tindakan pencegahan terhadap ancaman Malware khususnya Ransomware jenis WannaCRY

Pendahuluan

Ransomware adalah sebuah jenis malicious software atau malware yang menyerang computer korban dengan cara mengunci computer korban atau meng-encrypt semua file yang ada sehingga tidak bisa diakses kembali. Tahun ini sebuah jenis ransomware baru telah muncul dan diperkirakan bisa memakan banyak korban. Ransomware baru ini disebut Wannacry. Wannacry ransomware mengincar PC berbasis windows yang memiliki kelemahan terkait fungsi SMB yang dijalankan di computer tersebut. Saat ini diduga serangan Wannacry sudah memakan banyak korban ke berbagai Negara.

Infeksi dan Penyebaran

Wannacry menginfeksi sebuah computer dengan meng-enkripsi seluruh file yang ada di computer tersebut dan dengan menggunakan kelemahan yang ada pada layanan SMB bisa melakukan eksekusi perintah lalu menyebar ke computer windows lain pada jaringan yang sama. Semua computer yang tersambung ke internet yang masih memiliki kelemahan ini apalagi computer yg berada pada jaringan yang sama memiliki potensi terinfeksi terhadap ancaman wannacry. Setiap computer windows yang sudah terinfeksi akan mendapatkan tampilan seperti dibawah ini:

20170514080821-1-wannacrypt-001-indra-cahya

Dari tampilan diketahui bahwa wannacry meminta ransom atau dana tebusan agar file file yang dibajak dengan enkripsi bisa dikembalikan dalam keadaan normal lagi. Dana tembusan yang diminta adalah dengan pembayaran bitcoin yang setara dgn 300 dollar amerika. Wannacry memberikan alamat bitcoin untuk pembayarannya. Disamping itu juga memberikan deadline waktu terakhir pembayaran dan waktu dimana denda tebusan bisa naik jika belum dibayar juga.

Tindakan Pencegahan sebelum infeksi

Lakukan beberapa langkah berikut untuk tindakan pencegahan dari terinfeksi malware ransomare jenis wannacry :

  1. update security pada windows anda dengan install Patch MS17-010 yang dikeluarkan oleh microsoct. Lihat : https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  2. Jangan mengaktifkan fungsi macros
  3. Non aktifkan fungsi SMB v1
  4. Block 139/445 & 3389 Ports
  5. Selalu backup file file penting di computer anda di simpan ditempat lain

Tindakan setelah infeksi

saat ini belum ada solusi yang paling cepat dan jitu untuk mengembalikan file file yang sudah terinfeksi wannacry. Akan tetapi memutuskan sambungan internet dari computer yang terinfeksi akan menghentikan penyebaran wannacry ke computer lain yang vulnerable. Untuk consultasi secara online bisa merefer ke https://www.nomoreransom.org  email : incident@idsirtii.or.id

Sumber :

Source:

 


#Symantec Security Response | symantec.com | 12 May 2017

What you need to know about the WannaCry Ransomware


The WannaCry ransomware struck across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks.

UPDATE: May 23, 2017 00:30 GMT:

Symantec has uncovered further links to more closely tie the WannaCry attacks with the Lazarus group. For further details, see: WannaCry: Ransomware attacks show strong links to Lazarus group

UPDATE: May 15, 2017  23:24:21 GMT:

Symantec has uncovered two possible links that loosely tie the WannaCry ransomware attack and the Lazarus group:

  • Co-occurrence of known Lazarus tools and WannaCry ransomware: Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed. 
  • Shared code: As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants. 

While these findings do not indicate a definitive link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds.

A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network by exploiting critical vulnerabilities in Windows computers, which were patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue,” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

Am I protected from the WannaCry ransomware?

Symantec Endpoint Protection (SEP) and Norton have proactively blocked any attempt to exploit the vulnerabilities used by WannaCry, meaning customers were fully protected before WannaCry first appeared. SEP14 Advanced Machine Learning proactively blocked all WannaCry infections on day zero, without any updates.

The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.

Symantec and Norton customers are automatically protected against WannaCry using a combination of technologies. Proactive protection was provided by:

  • IPS network-based protection
  • SONAR behavior detection technology
  • Advanced Machine Learning
  • Intelligent Threat Cloud

Customers should have these technologies enabled for full proactive protection. SEP customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by Advanced Machine Learning signatures.

What is the WannaCry ransomware?

WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days it claims the encrypted files will be deleted. However Symantec has not found any code within the ransomware which would cause files to be deleted.

Can I recover the encrypted files or should I pay the ransom?

Decryption of encrypted files is not possible at present but Symantec researchers continue to investigate the possibility. See this article for further details. If you have backup copies of affected files, you may be able to restore them. Symantec does not recommend paying the ransom.

In some cases, files may be recovered without backups. Files saved on the Desktop, My Documents, or on a removable drive are encrypted and their original copies are wiped. These are not recoverable. Files stored elsewhere on a computer are encrypted and their original copies are simply deleted. This means they could be recovered using an undelete tool.

When did WannaCry appear and how quickly did it spread?

WannaCry first appeared on Friday, May 12. Symantec saw a dramatic upsurge in the number of attempts to exploit the Windows vulnerabilities used by WannaCry from approximately 8:00 GMT onwards. The number of exploit attempts blocked by Symantec dropped slightly on Saturday and Sunday but remained quite high. Exploit numbers increased on Monday, presumably as people returned to work after the weekend.

WannaCry virus attack, hourly exploit attempts_2.png
Figure 1. Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per hour

WannaCry virus attack, daily exploit attempts.png
Figure 2. Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per day

Number of Symantec detections for WannaCry May 11 to 15.gif
Figure 3. Heatmap showing Symantec detections for WannaCry, May 11 to May 15

Who is impacted?

Any unpatched Windows computer is potentially susceptible to WannaCry. Organizations are particularly at risk because of its ability to spread across networks and a number of organizations globally have been affected, the majority of which are in Europe. However individuals can also be affected.

Is this a targeted attack?

Current WannaCry activity is not believed to be part of a targeted attack.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks without user interaction, by exploiting known vulnerabilities in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.

How is WannaCry spread?

While WannaCry can spread itself across an organization’s networks by exploiting a vulnerability, the initial means of infection—how the first computer in an organization is infected—remains unconfirmed. Symantec has seen some cases of WannaCry being hosted on malicious websites, but these appear to be copycat attacks, unrelated to the original attacks.

How does the ransom payment work?

The WannaCry attackers request that the ransom be paid using Bitcoins. WannacCy generates a unique Bitcoin wallet address for each infected computer, however due to a race condition bug this code does not execute correctly. WannaCry then defaults to three hardcoded Bitcoin addresses for payment. The attackers are unable to identify which victims have paid using the hardcoded addresses, meaning that victims are unlikely to get their files decrypted.

The WannaCry attackers subsequently released a new version of the malware that corrected this flaw, however this version was not as successful as the original.

On May 18, a new notice was displayed on infected computers informing victims that files will be decrypted if the ransom is paid.

What are the details on Symantec’s protection?

Network-based protection
Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:

SONAR behavior detection technology

Advanced Machine Learning

Antivirus

For expanded protection and identification purposes, the following Antivirus signatures have been updated:

Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:

  • 20170512.009

The following IPS signature also blocks activity related to Ransom.Wannacry:

Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.

What are best practices for protecting against ransomware?

  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
  • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t delete them.
  • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.

Source:

 


#Robert Shaker | symantec.com | 15 May 2017

WannaCry Ransomware: Top 10 Ways Symantec Incident Response Can Help


How IR can detect, remediate and protect against future ransomware attacks

On May 12th, a new ransomware worm dubbed WannaCry (detected as Ransom.Wannacry) starting spreading quickly.  It’s now been reported in more than 150 countries around the globe, affecting hundreds of thousands of machines and more than 10,000 companies. WannaCry spreads by taking advantage of a Windows vulnerability, which was patched by Microsoft in March.

Ransomware like WannaCry forces its victims – individuals and organizations – to pay ransom through specifically noted payment methods in order to grant access to their machine, or to get their data back.

The growth of types of ransomware attacks is accelerating, as seen with WannaCry. It’s important to understand your options should you fall victim. Symantec Incident Response can help organizations with validating attacks and with making decisions on what to do next.

In this blog, you’ll learn 10 ways Symantec Incident Response Services, part of our Cyber Security Services that include Managed Security Services for Monitoring, and DeepSight Intelligence services using our Symantec Security Analytics, formerly BlueCoat Security Analytics Platform, can help organizations right now, depending on their situation, that are infected with ransomware, such as WannaCry.

1. We can help identify the primary infector and contain further spread

More info: Our research and past engagements have discovered that ransomware is rarely the primary infector. Either a SPAM email with malicious hyperlink/file attachment, Drive-­‐by-­‐Downloads / Watering Hole Attacks, Malicious Downloaders / Droppers, or other malware e.g. Trojan.Zbot are responsible for an initial infection that then leads to a follow-on ransomware attack.

Using Symantec Security Analytics, formerly BlueCoat Security Analytics network forensic platform, we can analyze malicious traffic to identify additional active attacks that may be going undetected within your environment. This holistic approach to the incident ensures that we identify the primary attack vector, which is critical to understanding the attacker’s primary campaign target, and ensures that you aren’t missing the actual attack by focusing solely on the ransomware activity.

Our Incident Response Services can then take appropriate steps to engage the adversary, contain the attacks, and work to recommend ways to prevent the primary infector in the future.

2. We can provide incident-specific recommendations to prevent success of future similar attacks

Use case exhibiting points 1 & 2: Symantec Incident Response was contacted to assist in a ransomware infection. The malware was encrypting PDF and executable files on network shares and exhibiting network worm‐like behavior. The customer was experiencing the outbreak in two global centers, causing significant disruption to their environment.

Using Symantec’s Endpoint Protection and Symantec Security Analytics, formerly BlueCoat Security Analytics products, the Incident Response Services team confirmed a new malware variant was being utilized. The malicious code was identified on a number of endpoints and numerous file shares within the organization. Symantec Incident Response was able to contain and eradicate the threat.

By performing an in‐depth analysis of all data available, Symantec Incident Response was able to identify the cause of the repeated infections and assist the customer with implementing controls to prevent any further outbreaks as well as assisting them to enhance their endpoint protection environment overall. Within 72 hours the environment was under control, which included Symantec’s identification and removal of multiple additional threats including undetected banking Trojans.

The Incident Response team coordinated with Symantec Managed Security Services and DeepSight Intelligence teams throughout the engagement to provide quicker remediation. Malware Reverse Engineers wrote a decryption tool that was able to decrypt infected PDF files infected with this particular malware.

3. We can identify Patient Zero

More info: Patient Zero is the root cause of a ransomware attack. By identifying this person or system, you’re able to determine the level of administration privileges the attacker may have gained access to and better determine the trajectory of the attack after the initial compromise.Determining Patient Zero requires a broad view of the environment to reconstruct the spread of the attack. Symantec Incident Response teams have network and endpoint forensics products at their disposal, powered by the Symantec Global Intelligence Network, to quickly and accurately understand the attack’s chain of events.

4. We can determine whether the victim organization is the primary target or merely collateral damage to gauge risk of reinfection

Use case: During an incident investigation, Symantec’s investigators have access to Symantec’s Global Intelligence Network, including threat and adversary intelligence from DeepSight Managed Adversary and Threat Intelligence, and telemetry on hundreds of millions of endpoints and millions of attack sensors. With this information, Symantec Incident Response Services can determine how widespread the attack is, who the attackers are, the attackers’ level of sophistication, whether or not other variants of the attack exist, and any Indicators of Compromise (IOCs) related to them. This intelligence combined with findings from using Symantec Security Analytics, formerly BlueCoat Security Analytics platform, allows Symantec Incident Response Services investigators to develop more robust containment plans and make better remediation recommendations to prevent further attacks of the same type.

Additionally, we regularly see customers taking the approach of wiping an endpoint effected by ransomware and putting it back into circulation without a second thought. In one scenario, the attackers used wiper tools to cover their tracks after conducting a targeted, multi-stage attack across the customer environment. Had that customer not engaged us to investigate the ransomware issue, the attackers would most likely still be in their network.

This validates Symantec’s stance on advising victims not to pay the attackers for the following reasons:

  • Paying the ransom puts you on the future target list of attackers who want to maximize their hit rates. As a former payer, you are more likely to be targeted a second time.
  • Paying attackers only perpetuates the problem and keeps the incentive for these attacks going

5. We can determine if ransomware is actually encrypting data or deleting and overwriting data

Use case: In the use case above, we were able to determine that the data had, in fact, not been encrypted. The attackers had planted ransomware notices to give the customer the impression that the data was encrypted in an attempt to masquerade their true intentions.

This validates Symantec’s stance on advising victims not to pay the attackers for the following reasons:

There is no guarantee the files are actually encrypted. In our ransomware investigations we have seen cases where the data is not actually encrypted. Engaging Symantec Incident Response Services in a ransomware incident can lead to a more informed decision by the customer on what steps to take next.

6. We can help victims create a data recovery plan by analyzing the malware to determine how data was encrypted.

Use case: Ransomware denies access to a user’s data by encrypting it and deleting the original copy. The methods in which ransomware accomplishes these tasks varies widely in terms of sophistication. In the worst case, the malware implements the cryptographic algorithm correctly, exercises proper key management, and securely deletes the original copy of the user’s data. In many cases, however, the malware writer makes mistakes in implementation that can be exploited by incident responders to recover data more easily. A skilled malware analyst can reverse engineer the ransomware to identify any weaknesses in implementation and help the user recover their data.

7. We can work with the customer’s data recovery provider to help determine their best plan of action based on the specific threat.

Use case: In many cases, customers hire a data recovery service to assist in the ransomware recovery process. The recovery process is unique to each individual situation and can depend heavily on the sophistication of the malware used. After analyzing the malware to understand how it encrypts and erases data, Symantec Incident Response Services can work with the data recovery provider to develop an efficient and effective data recovery plan.

8. Incident Response Services is truly a team sport. In the role of Breach Coach, we help customers in decisions regarding both internal and external communications, reporting requirements, interaction with Law Enforcement, etc.

More info: Many customers overlook the non‐technical aspects of a ransomware attack, which can have an equal or greater impact on a business that the technical aspects of an attack. Symantec Incident Response Services investigators have, on average, a decade of experience handling a wide variety of cyber attacks and can assist our customers in understanding the non-technical aspects of an attack and helping them make smart decisions.

9. Through our relationship with DeepSight’s Managed Adversary and Threat Intelligence (MATI) team, we are able to provide additional intelligence about the attackers, providing customers with more context around the incident

More info: Assigning accurate attribution and determining motives will aid greatly in preventing future attacks. For example, if an incident response team is able to determine that the adversary in a specific attack is a nation‐state, you’re able to take a look at the other tactics commonly seen in that particular nation and raise your defenses in those areas in an attempt to thwart future incidents from happening.

10. We can help customers understand how to protect themselves from future attacks.

Use case: In one scenario, a customer had been infected with Cryptolocker, and upon further investigation it was determined that the initial compromise resulted from a phishing attack. Understanding that there was a weakness in the human layer of security helped the company prioritize better end user training and put in place a more thorough skills development program, strengthening their weak points.It’s clear from new attacks like WannaCry that clear that adversaries are getting creative when it comes to creating new types of ransomware.  They’re seeing its effectiveness and taking full advantage. With help from Symantec Incident Response, ransomware doesn’t always have to equal disaster.

Want to know more?

Source:

 


#Pascal Millaire | symantec.com | 15 May 2017

WannaCry Ransomware: 6 Implications for the Insurance Industry


The WannaCry ransomware is one of the most significant and widespread cyber security attacks ever experienced. In addition to causing substantial disruption to businesses globally, it also illustrates the emerging risks that the insurance industry faces when it comes to cyber attacks.

This article provides background about the attack, which continues to unfold, and calls out implications for the insurance industry as cyber risk permeates more aspects of the global economy.

Background

On May 12, 2017 a new variant of the Ransom.CryptXXX family of ransomware began impacting a large number of organizations, particularly in Europe.

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted. It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010) The exploit, known as “Eternal Blue” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

There are reports of infections in over 100 countries, including high profile targets and many others that remain unreported in the public domain. At least 16 National Health Service (NHS) organizations in the UK have been hit with some outpatient services being canceled; Deutsche Bahn has confirmed some passenger information displays and ticket machines were inoperative; and Spanish telecom company Telefónica confirmed the ransomware has impacted parts of its IT system.

More information about the security implications of WannaCry is available from Symantec in the article “What you need to know about the WannaCry Ransomware”. But in addition to impacting the security industry, the event has substantial implications for insurers.

What does this mean for insurers?

1. Insurance Aggregation Events are No Longer Geographically Constrained: Unlike natural catastrophes, where insurers have a geographically contained footprint, companies impacted by cyber attack cross geographic boundaries and are difficult to track. Big data analytics from major technology companies with a large install base can provide modeling for how such a risk is likely to spread. For example, in 2016 Symantec tracked 357MM new malware variants leveraging a detection network of 225MM devices in 157 countries. Ransomware is a particularly pernicious form of malware with 464K detections (up 36% in 2016). Data-driven methods will be needed to model historical events and understand what learnings they provide about the impact of cyber aggregation scenarios, like WannaCry.

2. Need to Stress Test Insurer Losses Against Cyber Aggregation Scenarios: Cyber risk is embedded into all aspects of the global economy and therefore into policies that spread far beyond standalone affirmative cyber data loss insurance. Vendors, such as Symantec, are partnering with insurers to develop and model these scenarios based on the highest frequency and severity potential aggregation events.

The spread of self-propagating mega malware taking advantage of vulnerability in a systemically important operating system (much like this month’s WannaCry attack) is a core scenario (scenario 19) in the probabilistic cyber aggregation model that Symantec Cyber Insurance is releasing this summer. Similarly, the service interruption to a major cloud service provider and an attack on a DNS provider were all scenarios envisaged by modeling firms such as Symantec and were realized in the past 12 months with the AWS S3 outage and the Mirai DDOS attack. (For more information see, “3 Reasons Why the Insurance Industry Will Never Be the Same After the Mirai DDoS Attack”).

Scenario-based approaches can never cover all eventualities but recent evidence suggests the events that most concern cyber experts are indeed the events that have transpired.

3. ‘Underwriting Due Diligence’ is a Critical First Line of Defense Against this Novel Risk: Although cyber risk is new, it is a risk that can be partially understood with specialist cyber insurance underwriters that know what questions to ask. Best in class enterprise security with multiple layers of protection is often needed for tackling advanced persistent threats seeking to infiltrate sensitive data in a targeted attack. In the case of WannaCry, with an untargeted attack, families who simply have our Norton product have protection against WannaCry. Having underwriters that understand the importance and having minimum security standards in place, like leading endpoint protection, is an important first start.

4. Security Analytics can Supplement Insurance Data Sets to Inform Underwriting Practices: The current WannaCry malware exploits a vulnerability in Microsoft that has been publicly known since March 14th 2017, when an update was made available by Microsoft. These vulnerabilities are exposed all of the time. For example, since the WannaCry announcement in the May 2017 Microsoft update alone 17 critical vulnerabilities were rated critical. Underwriters can ask their prospective insureds about patching cadence however the answer, if they get one at all, is not as simple as “we patch every X days”. Insurers can supplement this data with reference tables from Symantec Cyber Insurance with benchmarks for aggregated peer comparables and refine underwriting strategy based on granular security data.

5. Discover Vulnerabilities with Automated Underwriting Intelligence: In some cases, insurers do not even need to ask questions about whether a particular technology is in place as outside-in tools from companies like Symantec can observe externally observable signals associated with IP addresses and websites owned by a company. For example, Symantec’s website security scans in 2016 found that 24% of websites had no known vulnerabilities, 67% had non-critical vulnerabilities and 9% had critical vulnerabilities. This data can rapidly prioritize which insureds a carrier will underwrite.

6. Insurers as Trusted Advisors During Major Cyber Events: With the rapid growth of cyber insurance, insurers have become a trusted source of guidance in terms of what to do when such attacks happen.  Since news broke about the WannaCry ransomware, insurers have been a key source of guidance for corporate clients about what is happening and what to do about it. When insureds are hit by ransomware, insurers can be a key source of guidance in advance of a breach and post-breach inevitably insurers have dealt with ransomware sometimes hundreds of times before and can be guides to taking the appropriate responses and bringing together the appropriate legal, communications and security teams to respond.

Symantec is working with insurance partners, including our partnership with Marsh & McLennan Companies reinsurance brokerage division Guy Carpenter, to model cyber risk with analytic software built specifically for cyber insurers. Symantec’s 23 scenario insurance cyber catastrophe model will be released in late summer 2017, however, in response to the urgent need for insurers to understand this risk, we are helping our insurance clients understand the risk of our vulnerable operating system malware scenario in advance of that release.

Summary

WannaCry is one of the most significant malware events seen to-date but it will not be the last to pose a systemic risk to the global economy.

Understanding emerging cyber risk may seem challenging but as interconnected technologies permeate all aspects of the global economy, the problem is too important for insurers not to understand. Addressing cyber risk will require collaborations between the cyber security industry, insurers and our mutual clients.

Together, the cyber security and insurance industries can make our economy more resilient to the most important risk of the 21st century.

Find the latest information from Symantec about the WannaCry Ransomware threat on our WannaCry Ransomware web page.

Source:

 


#kevin_stultz | symantec.com | 12 May 2017

Data Center Security Server Advanced Stops WannaCry


WannaCry Situation Update

On May 12, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named WannaCry (aka WCry). These attacks are targeting and have affected users from various countries across the globe.

Am I protected from the WannaCry ransomware?

Symantec Data Center Security: Server Advanced IPS provide protection against WannaCry Ransomware.  All three levels of Symantec DCS:SA policies Windows 6.0  Basic, Hardening and Whitelisting and all 5.2.9 policies (Limited Execution, Strict, and Core) prevent the ransomware attack from dropping the malicious executables onto the system.

For more information about WannaCry, go to Symantec’s WannaCry Outbreak page.

What protections does Symantec provide for our endpoint customers?

There are two basic ways that customers can be protected against this threat:

1. Customers who have installed the Windows security update MS17-010 are not vulnerable to this threat.

2. DCS:SA provides a range of protection against this threat on computers that do not have the patch installed:

  • IPS policies prevent the malware from being dropped or execututed on the system.
  • Ability to block inbound SMB traffic
  • If not using full IPS ability to apply a targeted IPS policy to block execution of the WannaCry malware

Additional Protection Details

For customer systems that are not using SMB or Windows Network File Sharing capabilities, and especially for externally facing servers, it is best practice to reduce the network attack surface by configuring  prevention policy rules to block SMB network traffic. This can be easily done by editing the Kernel and Global network rules

  • From the Java Console, edit a Windows 6.0 Policy
  • Click Advanced -> Sandboxes
  • Under Kernel Driver Options, click Edit
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
  • Navigate back to Home in the Policy Editor
  • Click Advanced -> Global Policy Options
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
  • Save the Policy

For additional protection to what is delivered out of the box, the execution of all known variants of the WannaCry ransomware can be blocked by putting the executable hashes in the Global No-run List.  To add a hash to the list:

  • From the Java Console, edit a Windows 6.0 Basic or Hardened Policy
  • Click Advanced -> Global Policy Options
  • Under Global Policy Lists, Edit the “List of processes that services should not start [global_svc_child_norun_list]”
  • Click the Add button to add a parameter list entry
  • In the “Entry in parameter list” dialog
    • Enter ‘*’ for the Program Path
    • For File Hash, click the “…” button on the right hand side
    • In the File Hash Editor dialog, click Add
      • Enter either the MD5 or SHA256 hash of the file
      • Click Ok on the File Hash Editor dialog window
    • Click Ok on the Entry in parameter list window
  • Add a parameter list entry for each hash value
  • Save the policy

What if I am using Symantec Embedded Security: Critical System Protection?

SES:CSP provides protection from WannaCry – see: https://support.symantec.com/en_US/article.TECH246385.html for details.

Source:

 


#Symantec Security Response | symantec.com | 22 May 2017

WannaCry: Ransomware attacks show strong links to Lazarus group

Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks


Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the theft of US$81 million from the Bangladesh Central Bank. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. Our analysis only allows us to attribute these attacks to the Lazarus group. The technical details do not enable us to attribute the motivations of the attacks to a specific nation state or individuals.

Prior to the global outbreak on May 12, an earlier version of WannaCry (Ransom.Wannacry) was used in a small number of targeted attacks in February, March, and April. This earlier version was almost identical to the version used in May 2017, with the only difference the method of propagation. Analysis of these early WannaCry attacks by Symantec’s Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked Eternal Blue exploit that caused WannaCry to spread quickly across the globe starting on May 12.

Summary of links

  • Following the first WannaCry attack in February, three pieces of malware linked to Lazarus were discovered on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks.
  • Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.
  • Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.
  • Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus).
  • There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.

February attack

The first evidence Symantec has seen of WannaCry being used in the wild was February 10, 2017, when a single organization was compromised. Within two minutes of the initial infection, more than 100 computers in the organization were infected.

The attackers left behind several tools on the victim’s network that provided substantial evidence into how WannaCry spread. Two files, mks.exe and hptasks.exe (see Appendix C: Indicators of Compromise), were found on one affected computer. The file mks.exe is a variant of Mimikatz (Hacktool.Mimikatz), a password-dumping tool that is widely used in targeted attacks. The latter file, hptasks.exe, was used to then copy and execute WannaCry on other network computers using the passwords stolen by mks.exe.

The spread of WannaCry by hptasks.exe was a two-stage process. In stage one, when run, hptasks can be passed a target list of IP addresses as an argument. When given this command, hptasks reads previously stolen credentials from a file called cg.wry and uses them to connect to every computer in the set of IP address ranges. All connection attempts are logged into the log.dat file. If a successful connection is made to a remote computer, and there is no file with a .res extension in either the Admin$, or C$\Windows folders, then hptasks.exe will copy the files listed in Table 2 onto the remote computer.

File name Remote locations Type
cg.wry \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Configuration details
r2.wry \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Message to the user with instructions on how to pay
t1.wry \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Message to the user, for example “Most of your files are encrypted…”
taskmsgr.exe \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Application for displaying the messages in t1.wry and t2.wry
taskschs.exe \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system WannaCry encryption application

Table 1. Files copied by hptasks.exe onto target computers

After hptasks.exe executes WannaCry on the remote computer, the second stage begins. hptasks can pass several arguments to the WannaCry installation on the remote computer, including a new set of  IP addresses. If WannaCry is run with these IP addresses as arguments, it does not encrypt the files on the local computer. Instead, it connects to the IP addresses passed, accesses the Admin$ and C$ share on those computers using the credentials embedded in the resource section in a file called c.wry, and then remotely encrypts those files.

In addition to hptasks.exe and mks.exe, five other pieces of malware were discovered on a second computer on the victim’s network. Three of these tools are linked to Lazarus. Two were variants of Destover (Backdoor.Destover) a tool used in the Sony Pictures attacks. The third was Trojan.Volgmer, malware that has previously been used by Lazarus in attacks against South Korean targets.

March and April attacks

Beginning on March 27, at least five organizations were infected with a new sample of WannaCry. There does not appear to have been a pattern to those targeted, with the organizations spanning a range of sectors and geographies. These attacks revealed further evidence of links between those behind WannaCry and the Lazarus Group.

Two different backdoors were used to deploy WannaCry in these attacks: Trojan.Alphanc and Trojan.Bravonc. Alphanc was used to drop WannaCry onto computers belonging to at least two of the known victims, with a slightly modified version of the malware deployed to each victim.

Alphanc shares a significant amount of code with Backdoor.Duuzer, a sub-family of the Destover wiping tool used in the Sony attacks (see Appendix B: Shared Code). In fact, Symantec investigators believe Alphanc is an evolution of Duuzer. Duuzer has also previously been linked to the activity of Backdoor.Joanap and Trojan.Volgmer, which have both been previously linked to Lazarus.

Symantec researchers were able to establish a detailed timeline of the activity of Alphanc on one of the victim’s systems, from the time it got on the system to when WannaCry was deployed.

Timeline of Alphanc activity

Alphanc was deployed on the target computer as armsvc.exe and minutes later copied itself to a new name, javaupdate.exe. The sample executed from this location:

cmd.exe /c “copy c:\Users\Administrator\AppData\armsvc.exe c:\windows\system32\javaupdate.exe > C:\Users\REDACTED\AppData\Local\Temp\NK15DA.tmp” 2>&1

Minutes later, mks.exe, the same credential dumper used in the February WannaCry attacks, was created and executed. There was no activity for three days, until the attackers returned and deployed a version of RAR and created a password-protected archive. Moments later a network scanner called g.exe ran. This performed a DNS lookup for all IP addresses in the IP address range selected by the attackers, probably to determine computers of interest. A two-day gap in activity followed before the attackers returned to profile the local network. Examples of commands used include:

cmd.exe /c “net view > C:\Users\REDACTED\AppData\Local\Temp\NK2301.tmp” 2>&1
cmd.exe /c “net view /domain > C:\Users\REDACTED\AppData\Local\Temp\NK6C42.tmp” 2>&1
cmd.exe /c “time /t > C:\Users\REDACTED\AppData\Local\Temp\NKC74F.tmp” 2>&1

Then, the file taskhcst.exec was created by javaupdate.exe. This was the WannaCry ransomware. The .exec extension is renamed to .exe, as illustrated blow. This was likely a safety check so that the attacker would not mistakenly execute the file prematurely.

cmd.exe /c “ren C:\Windows\taskhcst.exec taskhcst.exe > C:\Users\REDACTED\AppData\Local\Temp\NK833D.tmp” 2>&1

Approximately 45 minutes later, the attacker copied the javaupdate.exe backdoor to a remote computer. A file called bcremote.exe was then also copied to this computer; this was the same tool that was called hptasks.exe in the February attack, and was used to spread WannaCry across the network. The configuration file for this file was then copied, and finally WannaCry itself was copied over:

cmd.exe /c “net use \\REDACTED\ipc$ REDACTED /u:REDACTED > C:\Users\REDACTED\AppData\Local\Temp\NK2E.tmp” 2>&1
cmd.exe /c “copy c:\windows\system32\javaupdate.exe \\REDACTED\c$\windows\javaupdate.exe > C:\Users\REDACTEDAppData\Local\Temp\NK3E49.tmp” 2>&1
cmd.exe /c “copy c:\windows\beremote.exe \\REDACTED\c$\windows\ > C:\Users\REDACTED\AppData\Local\Temp\NK4DD5.tmp” 2>&1
cmd.exe /c “copy c:\windows\c.wry \\REDACTED\c$\windows\ > C:\Users\REDACTED\AppData\Local\Temp\NK7228.tmp” 2>&1
cmd.exe /c “copy c:\windows\taskh*.exe \\REDACTED\c$\windows\ > C:\Users\REDACTED\AppData\Local\Temp\NK7DCF.tmp” 2>&1

The same process took place on a second server on the network, and when the bcremote.exe command was executed, WannaCry was spread across the network.

Trojan.Bravonc

Fewer details are available about the operation of Trojan.Bravonc, but it was used to drop WannaCry onto the computers of at least two other victims, and displays some fairly definitive links to the Lazarus group.

It connects to a command and control (C&C) server at the IP address 87.101.243.252, which is the same IP address used by a sample of Destover, a known Lazarus tool. This IP address was also referenced in Blue Coat’s From Seoul To Sony report.

Duuzer has also been observed using this IP address as a C&C server. Bravonc and a variant of Destover also share cryptographic related code (See Appendix B: Shared Code). In addition, Bravonc’s method of spreading (over SMB using hardcoded credentials), was the same technique used by Joanap, another Lazarus-linked tool.

May attacks: WannaCry goes global

On May 12, a new version of WannaCry was released which incorporated the leaked “EternalBlue” exploit that used two known vulnerabilities in Windows (CVE-2017-0144 and CVE-2017-0145) to spread the ransomware to unpatched computers on the victim’s network and also to other vulnerable computers connected to the internet.

The incorporation of EternalBlue transformed WannaCry from a dangerous threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years. It caused widespread disruption, both to organizations infected and to organizations forced to take computers offline for software updates. The discovery and triggering of a kill switch by security blog MalwareTech halted its spread and limited the damage.

The earlier versions of WannaCry and the one used in the May 12 attacks are largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit. The passwords used to encrypt the Zip files embedded in the WannaCry dropper are similar across both versions (“wcry@123”, “wcry@2016”, and “WNcry@2ol7”) indicating that the author of both versions is likely the same group.

The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.

WannaCry links to Lazarus

Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300).

In addition, WannaCry uses similar code obfuscation to Infostealer.Fakepude, malware that has previously been linked to Lazarus; and Trojan.Alphanc, malware that was used to spread WannaCry in the March and April attacks and which has been linked to Lazarus (see above).

Fortuitous leak turned WannaCry into global threat

The discovery of a small number of earlier WannaCry attacks has provided compelling evidence of a link to the Lazarus group. These earlier attacks involved significant use of tools, code, and infrastructures previously associated with the Lazarus group, while the means of propagation through backdoors and stolen credentials is consistent with earlier Lazarus attacks. The leak of the EternalBlue exploit was what allowed the attackers to turn WannaCry into a far more potent threat than it would have been had they still been relying on their own tools, since it bypassed many of the steps the attackers previously had to take, removing both the need to steal credentials and copy it from computer to computer.

Thanks to Symantec’s Network Protection Research Labs for their contribution to this research.

Appendix A: WannaCry and Lazarus shared network infrastructure

There are a number of crossovers seen in the C&C servers used in the WannaCry campaigns and by other known Lazarus tools. For example, during the attacks against Sony, a malware family called Backdoor.Destover was deployed. Later variants of Backdoor.Destover were seen to use the IP address 87.101.243.252 for command and control. The Trojan.Bravonc sample discovered dropping WannaCry also connects to this IP address. Other shared network infrastructure is listed below:

C&C Used by Comments
87.101.243.252 Trojan.Bravonc,

Backdoor.Duuzer

Backdoor.Destover

84.92.36.96 Trojan.Alphanc Also used by a backdoor program which shares an additional C&C with Lazarus-linked Backdoor.Cuprox
184.74.243.67 Trojan.Alphanc Also seen used by entaskloader.exe which drops a network scanning tool used in March attacks
203.69.210.247 Trojan.Alphanc
196.45.177.52 Backdoor.Cuprox Also seen used by a backdoor program dropped by a document called “discussion_QuadrigaCX.doc”

Table 2. Infrastructure shared by WannaCry and other Lazarus tools

Appendix B: Shared Code

Shared network code between Trojan.Alphanc and Backdoor.Duuzer

Trojan.Alphanc and Backdoor.Duuzer use similar code to generate the buffer being sent out after connection to the C&C server is established. This code is part of what could be referred to as a “Fake SSL” handshake. This is similar in concept to the code identified by Google, but different in implementation. Both samples generate a random number, and use that number to lookup a table for additional data to send. That table is identical across both samples. In addition, both samples will prepend the same value, 0x16030100, to the start of the buffer sent to the C&C server.

Backdoor-Duuzer.pngFigure 1. Backdoor.Duuzer sample with the hash fa6ee9e969df5ca4524daa77c172a1a7

Backdoor-Alphanc.pngFigure 2. Backdoor Alphanc sample with the hash E8C6ACC1EB7256DB728C0F3FED5D23D7

Common strings between Trojan.Alphanc and Backdoor.Duuzer

The following table demonstrates the common strings between Trojan.Alphanc and Backdoor.Duuzer.

Common-strings.png
Figure 3. Common strings between Trojan.Alphanc and Backdoor.Duuzer

Cryptographic number related routines between Backdoor.Bravonc and Backdoor.Destover

Trojan-Bravonc.png
Figure 4. Trojan.Bravonc sample with the hash 55dd9b0af2a263d215cb4fd48f16231a

Destover.pngFigure 5. Destover variant with the hash 0f246a13178841f8b324ca54696f592b

Shared function identified by Neel Mehta

On May 15, Google researcher Neel Mehta tweeted the following:

Neel-Mehta.png

The first hash, 9c7c7149387a1c79679a87dd1ba755bc, is a Ransom.WannaCry variant and ac21c8ad899727137c4b94458d7aa8d8 is a variant of Backdoor.Contopee, a backdoor used in attacks against several banks. The samples referenced in the tweet contain shared code. This shared code is part of a custom SSL implementation, using an identical cipher suite. It could be described as “fake ssl”. Each cipher specifies an option for key exchange, authentication, bulk encryption, MAC. The Contopee sample and WannaCry sample have almost identical pieces of code that reference an identical cipher suite. The cipher suite in both samples has the same 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300).

Appendix C: Indicators of Compromise

MD5 SHA256 File name
21307227ECE129B1E12797ECC2C9B6D9 8A4D2BAA8CF519C7A9B91F414A0A9D8BA2B9E96D21D9E77DA7B34ED849830A36 mks.exe
6F0338AF379659A5155B3D2A4F1A1E92 CA8DC152DC93EC526E505CF2A173A635562FFBF55507E3980F7DC6D508F0F258 hptasks.exe
0489978ffa3b864ede646d0470500336 2A99BCB5D21588E0A43F56AADA4E2F386791E0F757126B2773D943D7CBF47195 ENTASKLOADER.EXE. Creates forti.exe
a1ffca7ba257b4eca7fe7d1e78bac623 3C86FC0A93299A0D0843C7D7FF1A137A9E799F8F2858D3D30F964E3C12C28C9E forti.exe
f27cf59b00dacdd266ad7894a1df0894 92b0f4517fb22535d262a7f17d19f7c21820a011bfe1f72a2ec9fbffbdc7e3e0 javaupdate.exe, creates g.exe
a1ffca7ba257b4eca7fe7d1e78bac623 3C86FC0A93299A0D0843C7D7FF1A137A9E799F8F2858D3D30F964E3C12C28C9E g.exe
511778c279b76cac40d5d695c56db4f5 91146EE63782A2061701DB3229320C161352EE2BC4059CCC3123A33114774D66 svchost.exe, Creates lsasvs.exe
f774c0588da59a944abc78d5910be407 A7EA1852D7E73EF91EFB5EC9E26B4C482CA642D7BC2BDB6F36AB72B2691BA05A lsasvs.exe, Creates 50793105.exe
8386379a88a7c9893a62a67ea3073742 7F8166589023CD62AE55A59F5FCA60705090D17562B7F526359A3753EB74EA2F 50793105.exe, Creates taskhcst.exe
3bc855bfadfea71a445080ba72b26c1c 043E0D0D8B8CDA56851F5B853F244F677BD1FD50F869075EF7BA1110771F70C2 taskhcst.exe, WannaCry
F27CF59B00DACDD266AD7894A1DF0894 92B0F4517FB22535D262A7F17D19F7C21820A011BFE1F72A2EC9FBFFBDC7E3E0 armsvc.exe, javaupdate.exe
E8C6ACC1EB7256DB728C0F3FED5D23D7 524F8F0F8C31A89DF46A77C7A30AF5D2A1DC7525B08BFAFBED98748C3D8A3F1C jusched.exe
1D4EC831292B611F1FF8983EBD1DB5D4 41E9D6C3374FD0E78853E945B567F9309446084E05FD013805C70A6A8205CD70 msinj32.exe
D0CE651A344979C8CD11B8019F8E4D7E 436195BD6786BAAE8980BDFED1D7D7DBCCCB7D5085E79EBDCC43E22D8BAE08A8 goyqsvc.dll
9A5FA5C5F3915B2297A1C379BE9979F0 9F177A6FB4EA5AF876EF8A0BF954E37544917D9AABA04680A29303F24CA5C72C exldcmgmt.dll
86759CE27D0FE0B203AAA19D4390A416 AE8E9FF2DC0EC82B6BAE7C4D978E3FEAC93353CB3CD903E15873D31E30749150 oledbg32.dll
FCF3702E52AE32C995A36F7516C662B7 FC079CEFA19378A0F186E3E3BF90BDEA19AB717B61A88BF20A70D357BF1DB6B8 bitssvcs.dll
e117406e3c14ab8e98b27c3697aea0b6 2BA20E39FF90E36086044D02329D43A8F7AE6A7663EB1198B91A95EA556CF563 00bebc12.exe

For additional information from Symantec regarding the WannaCry virus, visit our dedicated WannaCry Ransomware page.

Source:

 


#Symantec Security Response | symantec.com | 24 May 2017

WannaCry Ransomware

WannaCry Ransomware

WannaCry Ransomware: Information from Symantec

 Last updated: 1:49am PDT, May 24, 2017 | Subscribe for updates RSS Feed

A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

Ransomware attacks show strong links to Lazarus group

Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the Bangladesh Central Bank. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. Our analysis only allows us to attribute these attacks to the Lazarus group. The technical details do not enable us to attribute the motivations of the attacks to a specific nation state or individuals.

Am I protected against the WannaCry attack?

Even though WannaCry currently exploits an SMB vulnerability in systems running Windows operating systems, Symantec customer assets have been protected across multiple attack vectors prior to its emergence. Symantec protects customers against ransomware through layered defenses across multiple product lines, guarding multiple attack vectors and targets including email, web, endpoints, and data center servers.
Symantec Ransomware Protections
Symantec Ransomware Protections
To date, Symantec has blocked nearly 47 million WannaCry infection attempts across 1.6 million endpoints, providing full protection for Symantec customers through its advanced exploit protection technology:
Endpoint: Symantec Endpoint Protection and Norton
Symantec Endpoint Protection (SEP) and Norton have blocked any attempt to exploit the vulnerability used by WannaCry since April 24, before WannaCry first appeared, using a combination of technologies. In fact, the Advanced Machine Learning feature alone in SEP proactively blocked all WannaCry infections on day zero, without any updates. All SEP versions including SEP 14, SEP Cloud and SEP Small Business Edition have these automatic protections available against WannaCry. See Details and Recommendations section below for more information.
Email: Symantec Email Security.cloud and Symantec Messaging Gateway
Symantec Email Security.cloud and Symantec Messaging Gateway products provide automatic protection against WannaCry for email-based attacks.
Web: Symantec Secure Web Gateway
Symantec Secure Web Gateway (SWG) blocks access to malicious websites and downloads that might contain ransomware. SWG solutions include ProxySG, WSS, GIN, Content and Malware Analysis, Security Analytics, and SSLV.
Workload: Symantec Data Center Security: Server Advanced
Symantec Data Center Security: Server Advanced (DCS:SA) intrusion prevention policies block WannaCry ‘out of the box’. All three levels of Symantec DCS:SA policies; Windows 6.0 (and up) Basic, Hardening, and Whitelisting block the WannaCry ransomware attack from dropping malicious executables onto systems. Customers not deploying full intrusion prevention capabilities can apply targeted intrusion prevention policies to block execution of ransomware.
Note: See the Data Center Security Server ransomware blog post for additional details and instructions.
Endpoint Management: Symantec IT Management Suite
Symantec IT Management Suite (ITMS) provides vulnerability patching and updates for endpoints and data center servers. The Security Update for Microsoft Windows SMB Server (4013389) patch, which protects against WannaCry, was released in March by Microsoft, and ITMS has been supporting it from the same date.
Note: ITMS 7.5 will patch Windows 7/8.1 systems, however ITMS 7.6 or newer is required to patch Windows 10 systems.
Cyber Security Services: Customers can benefit from Symantec’s Managed Security Services for monitoring WannaCry alerts and detect ransomware spread within their organization. Symantec can also provide Incident Response Services including readiness, hunting, and response services for WannaCry victims.
View the detailed overview of how Symantec Products protect you from Wannacry and other Ransomware.

Details and recommendations for Symantec Endpoint Protection and Norton customers

Symantec recommends that customers have the following technologies enabled for full proactive protection:
  • Intrusion prevention
  • SONAR behavioral detection technology
  • Advanced machine learning
Note: Symantec Endpoint Protection customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by advanced machine learning.
Intrusion prevention
Symantec has the following intrusion prevention policies in place to block attempts to exploit the MS17-010 vulnerability:
SONAR behavior detection technology
Advanced machine learning
Antivirus
For expanded protection and identification purposes the following Antivirus signatures have been updated:
Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:
  • 20170512.009
The following intrusion prevention policy blocks activity related to Ransom.Wannacry:
Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.
Host Integrity in SEP 12.1 and 14 can be used to automatically identify and remediate computers that have not installed MS17-010. An example Host Integrity policy and additional details are provided in TECH246459.
WannaCry Ransomeware Timeline 2017

Source:

 


#julismail | julismail.staff.telkomuniversity.ac.id | 14 Mei 2017

Ransomware wannacry


179d9-16vjskfhjsbhedhbyzomzfa

Di tengah ketenangan akhir pekan ini, tiba-tiba grup diskusi para peneliti malware mendadak jadi rame. Ternyata hari ini ada berita tentang penyebaran malware yang sangat masif, yaitu Ransomware Wannacry. Konon sudah terdeteksi menyebar di 90-an negara. Di luar negeri yang sudah menjadi korban diantaranya berbagai rumah sakit di USA, beberapa Bank di Rusia, jaringan komputer kereta di Jerman dll. Di Indonesia yang sudah melapor kena infeksi ransomware ini beberapa komputer rumah sakit dan beberapa komputer di pemerintah daerah. Bahkan Kominfo (kementerian komunikasi dan informatika ) di hari libur ini juga mengeluarkan press release tentang malware ini.

Malware ini kerjanya mengenkrip file di komputer korban, sehingga file kita gak bisa dibuka. Yah mungkin analoginya kayak file kita dizip oleh malware terus dikasih password. Untuk ngedapatin password tersebut kita harus bayar dulu uang tebusan (ransom) ke penjahat yang bikin malware ini. Tipe malware seperti ini disebut Ransomware.

Ransomware wannacry ini menginfeksi lewat email phishing. Jadi misalnya kita dapat email gak jelas kemudian di email tersebut ada attachment atau sebuah link website, ya sebaiknya jangan dibuka. Cuman selain itu dia bisa menyebar lewat smb (buat file sharing). Jadi misalnya ada satu komputer terinfeksi malware ini, maka malware ini bisa nyebar ke seluruh komputer yang ada di jaringan.

Langkah Pencegahan

Menurut microsoft, hampir semua versi windows kecuali windows 10 rentan terhadap serangan ransomware ini. Microsft juga telah mengeluarkan update untuk mengatasi masalah ini. Ada beberapa langkah pencegahan yang bisa dilakukan supaya tidak terinfeksi malware ini:

  • Install MS17-010 Patch
  • Disable SMBv1
  • Block Ports 139/445 & 3389

Untuk menginstall patch MS17-010 bisa dilihat pada link berikut:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Untuk mematikan SMBv1 bisa dilihat pada link berikut:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Tulisan lengkap tentang malware ini bisa dilihat pada site berikut: (Bahkan ada sampel malwarenya juga)

 

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn’t work – it only propagates.

Vulnerable/Not Vulnerable

To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

The MS17-010 patch fixes the vulnerability.

  • Windows XP: Doesn’t spread. If run manually, can encrypt files.
  • Windows 7,8,2008: can spread unpatched, can encrypt files.
  • Windows 10: Doesn’t spread. Even though Windows 10 does have the faulty SMB driver.
  • Linux: Doesn’t spread. If run manually with wine, can encrypt files.

Infections

Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it’s entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • “Content.IE5”
  • “Temporary Internet Files”
  • ” This folder protects against ransomware. Modifying it will reduce protection”
  • “\Local Settings\Temp”
  • “\AppData\Local\Temp”
  • “\Program Files (x86)”
  • “\Program Files”
  • “\WINDOWS”
  • “\ProgramData”
  • “\Intel”
  • “$”

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

credit for reversing this file format info: cyg_x11.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by “equation group” an exploit developer group associated with the NSA and leaked to the public by “the shadow brokers”. Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

Hasil analisa malware ini menurut McAFee

https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/embed/#?secret=iy3QVoPWIC

Hasil analisa malware menurut Cisco Talos

http://blog.talosintelligence.com/2017/05/wannacry.html

Tulisan lainnya tentang malwre ini:

https://www.ward.ie/2017/immediate-action-required-critical-security-advisory-wannacry-ransomware/embed/#?secret=is8lQ5Qdi1

https://support.microsoft.com/en-sg/help/4013389/title

Source:

Iklan

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: