loader gif

​Everything You Need to Know About WannaCrypt Ransomware Attack

wannacrypt ransomware

An international outage has been caused by the biggest ransomware attack ever. The hackers using WannaCrypt ransomware have hit hospitals, schools, companies and government institutions in at least 100 countries across the globe, encrypting system files and causing massive disruption in the targeted organizations. The reports of the attack first came from Spain’s largest telecom network service provider that was quickly followed by 16 hospitals in England’s National Health Service being affected. The attack on the hospitals rendered doctors and nurses locked out of patient's’ records unless ransom was paid.

As per details revealed by the security company Avast, more than 75,000 cases of ransomware infections in 99 countries were detected. The report further said that majority of targets were found in Russia, Ukraine and Taiwan. However, India did not remain immune to these attacks as computers belonging to Andhra Pradesh police department suffered infection locking the users out of the computers. As per preliminary reports, at least 25% of the computers belonging to the police department have been infected. The initial investigation has traced the attacker to France with the attack method being figured out exploits SMB Eternal Blue Vulnerability (CVE-2017-0145) in the Windows operating system.

How is WannaCrypt ransomware spreading?

The ransomware WannaCrypt0r 2.0, also known as Wanna Decrypt or WannaCry, spreads through phishing emails disguised as invoice, job offers, security warnings and other legitimate files. Once the unaware user clicks on the malicious attachment in the email, the dropper is delivered onto the system and thereafter exploits the SMB Eternal Blue Vulnerability (CVE-2017-0145) in the Windows operating system. After execution, the dropper then connects to the following domain that was initially unregistered:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If the connection is this unregistered domain is established successfully, the dropper does not infect the system with WannaCry ransomware module. However, if the connection fails, the dropper proceeds ahead to encrypt the files on the system.

As per a warning issued by Microsoft, blocking the domain with a firewall will make the ransomware continue spreading like a worm over the network and encrypt the files over the system.

Prevention against WannaCrypt ransomware attack?

This attack is a loud and clear wake-up call for all. Basic cyber hygiene can provide significant immunization against such attacks. Below are the detailed guidelines that individual users and organizations should follow to nip the WannaCrypt ransomware attack threat in the bud:

  • Update your Windows: Microsoft has already patched this vulnerability for the supported versions of Windows. The users must keep their Windows updated to prevent damage from the ransomware. For, the versions of the Windows like XP, Windows 8 and Windows Server 2003, that receive only custom support, Microsoft has released a new security patch.
  • Disable Server Message Block (SMB): Microsoft has released a detailed guideline to disable Server Message Block (SMB).
  • Block access to these ports: Users should block access to SMB ports over the network. The protocol operates on UDP ports 137 and 138, TCP ports 137, 139, and 445. Users should modify the configurations in the enabled firewall settings to perform the same.
  • Backup your data: In addition, the users must regularly maintain data backup to have a work around in case their system gets infected.
  • Be Aware: Keep yourself updated on the latest cyber threats and empower your organization through situational awareness and incident reporting platform to bring in Security First culture and proactively mitigating cyber risk.
  • Don’t Pay Ransom: The victims should avoid making payment of ransom because there is no guarantee that hackers will provide the decryption key.

Indicators of compromise for WannaCrypt

SHA1 of samples analyzed:

  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • e889544aff85ffaf8b0d0da705105dee7c97fe26

Files created:

  • %SystemRoot%\mssecsvc.exe
  • %SystemRoot%\tasksche.exe
  • %SystemRoot%\qeriuwjhrf
  • b.wnry
  • c.wnry
  • f.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • u.wnry
  • taskdl.exe
  • taskse.exe
  • 00000000.eky
  • 00000000.res
  • 00000000.pky
  • @WanaDecryptor@.exe
  • @Please_Read_Me@.txt
  • m.vbs
  • @WanaDecryptor@.exe.lnk
  • @WanaDecryptor@.bmp
  • 274901494632976.bat
  • taskdl.exe
  • Taskse.exe
  • Files with “.wnry” extension
  • Files with “.WNCRY” extension

Registry keys created:

  • HKLM\SOFTWARE\WanaCrypt0r\wd


loader gif