MyCERT Advisories, Alerts and Summaries for the year 2017
MA-661.052017: MyCERT Alert – WannaCry Ransomware
Date first published: 13/5/2017
1st revision: 17/5/2017
MyCERT is aware of the outbreak of a ransomware called as WannaCry. This ransomware is also referenced online under various names – WCry, WanaCryptor, WannaCrypt or Wana Decryptor. Ransomware is type of malware that infects computing platform and restricts users’ access until an amount of ransom is paid in order to unlock it. Once the ransomware infected a system, the malware scans and infects other vulnerable systems within the same network.
It exploits a vulnerability found in Windows, known as EternalBlue, that Microsoft patched in March (MS17-010). The vulnerability is in the Windows Server Message Block (SMB) service.
• Files on infected computer are encrypted and the owner is unable to access the files until a ransom of $300 worth of Bitcoin is paid.
• Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored. Figure 1 shows the ransomnote found on infected computer. Figure 2 shows the text file created by the ransomware that explaining what has happened and instructions on how to pay the ransom.
• WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:
o .lay6o .sqlite3o .sqlitedbo .accdbo .javao .classo .mpego .djvuo .tiffo .backupo .vmdko .sldmo .sldxo .potmo .potxo .ppamo .ppsxo .ppsmo .pptmo .xltmo .xltxo .xlsbo .xlsmo .dotxo .dotmo .docmo .docbo .jpego .onetoc2o .vsdxo .pptxo .xlsxo .docx
Figure 1: WannaCry ransomnote (source: Securelist.com)
Figure 2: A text file dropped by the ransomware (Source: http://www.cyberswachhtakendra.gov.in)
3.0 Affected Product
• Unpatched Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, Windows 2016.
Users of this product are advised to review and patch the vulnerability described in MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 can be referred here:
Users are advised to take the following preventive measures to protect their computer from ransomware infection:
a) To immediately apply the security update MS17-010 as soon as possible.
b) Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
c) Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
d) Block all SMB (445/tcp) traffic.
e) A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978, 42329-42332, 42340 .
f) Emerging threats has an IDS rule that catches the ransomware activity (ID: 2024218) .
g) Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline;
h) Maintain up-to-date anti-virus software;
i) Keep operating system and software up-to-date regularly with the latest patches.
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442 Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT