WannaCry (WannaCrypt, WannaCryptor etc.)

[5th July 2017]

The Register: Cha-ching! NotPetya hackers cash out – but victims won’t ever see that data again – Plus, bonus ransomware strain found in bottom of source code. [John Leyden reported that ‘A new analysis by Kaspersky Lab reports that:

NotPetya was not the only ransomware pushed through the trojanised M.E.Doc update. Unpacking the source code reveals that the project’s name was “WannaCry” and that it pretends to be “made in China”. These factors have prompted Kaspersky Lab researchers to dub the malware “FakeCry”.’

[Update 2nd June 2017]

Michael Mimoso for Kaspersky: WannaCry Development Errors Enable File Recovery

John Leyden for The Register: Crapness of WannaCrypt coding offers hope for ransomware victims – Still struggling? Your files might be recoverable after all

[Update 21st May 2017]

A free tool released by ESET ‘to help combat the recent ransomware, WannaCry (WannaCryptor).’

The press release goes on to say that:

ESET’s EternalBlue Vulnerability Checker can be used to determine whether your Windows machine is patched against EternalBlue, the exploit behind the WannaCry ransomware epidemic that is still being used to spread cryptocurrency mining software and other malware.

This obviously isn’t the only way to check, and it may not be the only tool of its kind out there – I haven’t been looking for such a tool. And clearly, checking for a specific vulnerability isn’t a substitute for a sound patching strategy, or for using security software that detects malware (including WannaCryptor) reasonably reliably. But while I haven’t tested it personally, I’d be very surprised (in view of my longstanding association with ESET) if this tool didn’t do what it says on the tin, so some people and organizations might well find this useful.

[Update 19th May 2017]

Wannacry in-memory key recovery for WinXP – Adrian Guinet warns:

“This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected.

Please also note that you need some luck for this to work (see below), and so it might not work in every cases!”

However, wanakiwi claims to have tested it successfully with versions up to Windows 7, but points to some alternative information. WannaCry — Decrypting files with WanaKiwi + Demos

Dan Goodin for Ars Technica: Windows XP PCs infected by WCry can be decrypted without paying ransom – “Decryption tool is of limited value, because XP was unaffected by last week’s worm.”

John Leyden for The Register: There’s a ransom-free fix for WannaCry‬pt. Oh snap, you’ve rebooted your XP box – “Sooo… that’s not gonna work for you mate”

[update 17th May 2017]

Another post for ITSecurity UK: WannaCryptor ‘Afterthoughts’…

Shortened version based on commentary to a company in St Helena:

  • The security community usually frowns on paying ransomware gangs for recovering files because it encourages the criminals. I can understand people paying up when there’s no other way to recover or replace their files, though. However, in this case, it seems likely that the criminals won’t and can’t recover the files, apart from the handful of files they do allow a victim to recover for free to ‘prove that they can be recovered’. The recovery mechanism only works for those files, and there doesn’t seem to be an equivalent mechanism for recovering all the others.
  • The combination of ransomware and worm has certainly accelerated the spread of the malware, though it hasn’t matched some of the worm attacks we were dealing with in the early 2000s. Of course, the potential effects are nastier than most of those earlier worms. Fortunately, its reliance on a vulnerability that has been widely patched has reduced its effectiveness.
  • People with machines that were patched back in March for MS17-010 probably weren’t affected unless they had data on a machine (a server, for instance) that was still vulnerable. The patch was available for Windows versions after (but not including) Windows XP with the exception of Windows 8.0. Microsoft, very unusually, also made available a patch for systems no longer normally supported with updates (XP, 8.0, Server 2003) on the 12th of May, so some systems no longer supported can now be patched.
  • If you have a machine that can be updated but hasn’t been, clearly you should. The threat from what ESET calls WannaCryptor hasn’t passed: we’re seeing not only variants but copycat and pre-existing malware using the same eternalblue exploit, and there are other features that might be copied. If you can upgrade an unsupported Windows version, do. If for some reason your machine can’t be upgraded or updated, at least take Microsoft’s advice to:
  • While the SMB exploit allowed an infected machine to pass on the infection to other accessible machines, it’s not clear what the primary infection vector(s) was/were. While I do have a report of emails with infective attachments, that seems to have been unusual. (At least one subsequent report has put the blame squarely on SMB, but I’m not sure that’s the whole story. Notwithstanding, it’s certainly still a good idea to be wary of emails that carry attachments, wherever they may seem to come from.
  • There was a lot of fuss made over the ‘accidental hero’ who was able to ‘switch off’ the attack by registering a domain to see what happened. (‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack.) While it sounds as if this bought the world a little time, it didn’t mean there wouldn’t be further attacks. I still recommend that you upgrade or patch if you can (and if you haven’t already, of course). There have been subsequent reports of further variants, including one which is alleged not to include a kill switch. That might not have be an accurate report, but certainly no-one should be relying on sinkholing or the neutralization of kill-switch domains rather than patching. I don’t begrudge malwaretech his $10,000 bounty or his year’s supply of free pizza, but it’s worth wondering how sure he was that registering the domain would have a happy outcome? Even more disconcertingly, I wonder whether the next malware to contain a conveniently unregistered domain might actually be setting a booby-trap? In any case, it’s reasonable to assume that the criminals will be trying not to be stymied so easily in future.
  • A friend of mine who is CEO of a security company asked if that company was the only security vendor not to use ‘WannaCry’ for marketing. I won’t say which company, as I’m sure he wouldn’t want to be accused of sneaking in some marketing by the backdoor. 😉 It’s true, of course, that a high profile attack is likely to inspire a stampede of marketroids claiming that:
    • Their company was the first past the post on detection. Actually, at least one product was detecting the malware generically from the word go, by detecting code intended to use the same exploit. I’m sure that others did the same. Unfortunately, not the company that claimed to be ‘totally protecting’ the NHS.
    • Of course, any solution may be outflanked by malicious software somewhere along the line, so I’m not going to join in the finger-pointing. Still, such a grandiloquent phrase is asking for trouble, and I notice that the company has modified its advertising since.
    • Their product is the only safe defence against all security breaches. And all that jazz.

All that aside, that’s a simplistic and rather cynical (not to say frankly insulting) view of what security commentators and researchers do. Even those of us who aren’t involved with direct marketing realize that companies we work for may see marketing value in what we say publicly. But that doesn’t mean everything we write relating to an event like this is purely intended to promote those companies and ourselves. It’s not ‘marketing’ to try to allay panic, discriminate between truth, fiction and speculation, or to use a high-profile security issue to make an educational point and raise awareness.

[earlier update]

Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.

If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)

If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.

Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.

Kudos to Microsoft for going the extra mile…

Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course.

[Added subsequently: Symantec What you need to know about the WannaCry Ransomware]

Further update:

You may have seen that someone was able to ‘switch off’ the attack by registering a domain. (‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack.) While it sounds as if this bought the world some time, it doesn’t mean there won’t be further attacks. I still recommend that you patch if you can.

There are reports of further variants, including one which is alleged not to include a kill switch. That might not be an accurate report, but certainly no-one should be relying on the neutralization of kill-switch domains rather than patching.

And if you have been caught out by the malware and were thinking of paying up, be warned that payment may not get your files back, according to Checkpoint: WannaCry – Paid Time Off?

Analysis by Microsoft here. MS recommends that you update to Windows 10 (no comment…) and/or apply the MS17-010 update. If that’s not possible, they recommend that you:

Hat tip to Artem Baranov for links to further information.

———————————————————————

It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…)

At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as a proactive measure. One thing that does seem clear is that systems that haven’t been patched against MS2017-010 are vulnerable to the  ‘externalblue’ exploit from the ShadowBroker NSA leak unless they have security software that blocks that exploit.

Being in the UK, I’m especially interested in the effect on the NHS, though I’m not in a position to tell you much about it. Here are a couple of links:

Some sources link this with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf.

WannaLocker

David Bisson – WannaLocker – The WannaCry Copycat Targeting Android Users in China