Your IP : 216.73.216.40
<?php
include("inde.php");
?>
<h1>WannaCry Ransomware Attack</h1>
</center> <p>The cyberworld is currently being taken by a bold and widespread form of ransomware attack the world has seen till now. This ransomware, known by various names like WannaCry or WannaCrypt, uses the EternalBlue exploit developed by National Security Agency of USA. Exploit code was stolen from NSA by a group known as ShadowBrokers in 2016 and who then posted it publicly on 14 April<sup>[1]</sup>. According to NY Times, this cyberattack has crippled more than 200,000 computers in more than 150 countries<sup>[2]</sup>. At the time of writing this article, new variants of this ransomware have already been reported<sup>[3]</sup>.
</p><br>
<center><img src = "ransom/rsz_attack.png"><br /><em>WannaCry Ransomware: Tested on Isolated Machine at NSC Lab, IIITA</em></center>
<strong><p>
Sources:</p></strong>
<p>1. https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html</p>
<p>
2. http://https://www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html</p>
<p>3. https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e</p>
<p></p>
<p></p>
<h2>What is a ransomware?</h2>
Ransomware is malware that prevents you from accessing your computer system normally until you pay the ransom. Its working differs from one infection to another. <p>While a simple ransomware will lock your systems files that can be unlocked by a person with some technical knowledge, more advanced ransomware will encrypt your data and then decrypt it only after you pay the ransom.</p>
<h2>
How WannaCry ransomware spreads?</h2>
The initial vector reported for the infection is a link in an email or a similar link in pdf that retrieves .hta file which further retrieves a payload which finally retrieves a malware that gets installed on your system. <p>It spreads itself on LAN as well as Internet by exploiting a EternalBlue vulnerability in Server Message Block protocol (SMB) in Microsoft Windows<sup>[4]</sup>. Specifically, an attacker performs remote code execution by crafting a special message (exploit) and sends it to SMBv1 server. The remote code execution vulnerability in SMBv1 server further causes it to retrieve a WannaCry Ransomware and finally gets installed on the target system.</p><p>Once a system is infected, WannaCry creates multiple threads to map vulnerable machines on local network and internet by generating random IP addresses and then infection further spreads to the discovered vulnerable systems<sup>[5]</sup>.</p>
<p><h2>Observations while Testing WannaCry Ransomware in NSC Lab, IIITA</h2></p>
<p>File size of the WannaCry ransomware is 3.4MB (3514368 bytes).</p>
<p>WannaCry writes itself into a random character folder in the ProgramData folder with the filename tasksche.exe or in the C:\Windows\ folder with the filename mssecsvc.exe and tasksche.exe.</p>
<p><strong>Examples</strong></p>
C:\ProgramData\lygekvkj256\tasksche.exe<br />
C:\ProgramData\pepauehfflzjjtl340\tasksche.exe<br />
C:\ProgramData\utehtftufqpkr106\tasksche.exe<br />
c:\programdata\yeznwdibwunjq522\tasksche.exe<br />
C:\ProgramData\uvlozcijuhd698\tasksche.exe<br />
C:\ProgramData\pjnkzipwuf715\tasksche.exe<br />
C:\ProgramData\qjrtialad472\tasksche.exe<br />
c:\programdata\cpmliyxlejnh908\tasksche.exe<br />
<strong><p>IP Addresses WannaCry communicates with</strong><sup>[5.1]</sup></p>
197.231.221.221:9001 <br />
128.31.0.39:9191 (observed in NSC Lab, IIITA)<br />
149.202.160.69:9001<br />
46.101.166.19:9090<br />
91.121.65.179:9001<br />
2.3.69.209:9001<br />
146.0.32.144:9001<br />
50.7.161.218:9001<br />
217.79.179.177:9001<br />
213.61.66.116:9003<br />
212.47.232.237:9001<br />
81.30.158.223:9001<br />
79.172.193.32:443<br />
38.229.72.16:443 (observed in NSC Lab, IIITA)<br />
<strong><p>Files that were created by WannaCry</p></strong>
@Please_Read_Me@.txt<br />
@WanaDecryptor@.exe<br />
@WanaDecryptor@.exe.lnk<br />
Please Read Me!.txt (Older variant)<br />
C:\WINDOWS\tasksche.exe<br />
C:\WINDOWS\qeriuwjhrf<br />
131181494299235.bat<br />
176641494574290.bat<br />
217201494590800.bat<br />
[0-9]{15}.bat #regex<br />
!WannaDecryptor!.exe.lnk<br />
00000000.pky<br />
00000000.eky<br />
00000000.res<br />
C:\WINDOWS\system32\taskdl.exe<br />
<p><strong>Sources:</strong></p>
<p>
4. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</p>
<p>
5. https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/</p>
<p>5.1. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/</p>
<h2>
Cure that stopped infection spread temporarily</h2>
An accidental 'kill switch' mechanism has been found that stops the ransomware from spreading further<sup>[6]</sup>:
<p>An infected system tries to connect to a domain name (composed of non-sensical text) pre-embedded in the malware code. If there is a response, malware stops from spreading to other systems on LAN. If there is no response or if the domain does not exist, infection continues to spread.</p>
This cure is temporary since the attacker can modify the 'kill switch' domain name or remove this mechanism completely in ransomware code, resulting in unending infection of vulnerable systems. WannaCry 2.0 is now without a kill switch has been released to infect the vulnerable system.
<p>WannaCry ransomware is not proxy-aware i.e. it needs an open un-proxied connection to the internet for infection to not spread further. If the the network connects to internet using a proxy, kill switch won't be activated and it will spread and infect the other vulnerable systems in the network.<sup>[7]</sup>.</p>
<p>At the time of writing this article, newer variants of WannaCry embedded with different domain names have already been reported<sup>[8]</sup>.</p>
<strong><p>
Sources:</p></strong>
<p>6. https://twitter.com/MalwareTechBlog/status/863187104716685312</p>
<p>7. https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware</p>
<p>8. https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e</p>
<h2>Operating Systems that are vulnerable</h2>
All operating systems other than Windows 10 are vulnerable (including Windows XP, Vista, 7, 8, 8.1, etc) to WannaCry ransomware attack.
<p>Computers with Windows 10 installed are<strong> NOT </strong>vulnerable<sup>[9]</sup>. </p>
<p>During testing at NSC Lab IIITA, we opened the WannaCry malware with Wine on Linux and it encryped all the user data on Linux as well.</p>
<p><strong>Source:</strong></p>
9. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
<h2>Measure to be taken</h2>
If your system is infected then your data will be encrypted and you may or may not recover it after you pay the ransom.
<p>Otherwise following measures should be taken:</p>
<h3>
Patches to be installed</h3>
Microsoft has already released the patch for this vulnerability back in March this year.
<p>It is important to note that a security patch has also been released for unsupported Windows XP as well.</p>
<p>
To install these patches, you can either employ Windows Update feature in Microsoft Windows.</p>
<p><center><strong>OR</strong></center></p>
You can download respective patches from below microsoft MS17-010 bulletin link and install them:
<p>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
<p>https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 [for XP]</p>
<h3>Disabling SMBv1 Server</h3>
<p>This is recommended only if you have vulnerable SMBv1 server installed on your system. Disabling SMB on your system has many negative side-effects. This should be a temporary measure to stop infection spread and if you need to access your system.</p>
<p>
SMB can be disabled through Windows Powershell with administrator privileges or Windows Registry. The steps to be followed for disabling it and various services SMB offers/services that will be affected after disabling it are listed in the link below:</p>
<p>https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012</p>
<p>Alternatively, you can follow our guide to disable and enable SMB using PowerShell:</p>
<p>Search for the PowerShell in Window and on right-click, open it as administrator. Then to disable/enable SMB, follow the screenshots in the following document: <a href="ransom/smb_visual.pdf" target="_blank" >Disable or Enable SMB PDF</a></p>
<p><h3>Other Preventive measures</h3></p>
<p>The most easy and the best way to protect your data is to take its backup onto some offline storage such as exernal hard drive or pendrive. Once the backup is taken, please disconnect the storage from your system.</p>
<p>
If your system is infected, the first thing to do is to isolate it from the network. Report the incident to law enforcement authorities.</p>
<p>
The most common way for a malware to get installed on a system is through compromised emails and websites with malicious redirecting adverts. </p>
<p>
<p>
Further you should desist from visiting the websites who claim to provide free pirated content. Such websites are established sources of malware, hosted through adverts and other embedded mechanisms.</p>
<p>
Additionally, you should not click on hyperlinks that are unrecognisable and suspicious.</p>
<p> <h3> Naive solution to protect your files from getting encrypted </h3> </p>
<p> At NSC Lab, IIITA we tested the WannaCry ransomware for the files it encrypts and found that unknown file extensions are not getting encrypted. The file extensions handled by WannaCrypt is available in "http://bgr.com/2017/05/15/wanna-cry-ransomware-virus-windows-wannacry-explainer" </p>
<p>Considering the above, zip all the files of the system and change the file extension.Backup of the system will be available on the same system storage and WannaCry will not affect/encrypt that backup if accidentally it is installed on your system. </p>
<p> To take the backup of your data, do the following: </p>
<ol> <li>
Make a .zip or .rar file of your data. For example, backup.rar.
</li><li>
Now, open the command prompt and browse to the location of backup taken in step 1 using cd command.
</li> <li>
Using copy command, make a copy of your backup file to a new file with unknown extension. For example, in above case: copy backup.rar backup.clis
</li> </ol>
<p> The copy of backup with unknown file extension will be created in the same folder as the original backup file.</p>
<p>You can still open the backup file with unknown extension by using 'open with' feature and browse to the application you use for opening .rar or .zip file.</p>
<p> However for availability reason it is suggested to have the backup in other machines </p>
<h2>Technical Information about WannaCry Ransomware</h2>
<p>SMB Exploit code variant: https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb</p>
<p>
WannaCry DLL Operations(Cryptography Involved): https://pastebin.com/aaW2Rfb6</p>
<p>WannaCry Functionality: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/</p>
<p>WannaCry Network Behaviour, Worm behavior, File decryption, Bitcoin Activity, etc: https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/</p>
<p>Malware Sample: hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE</p>
<p>Much more technical: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168</p>
<h2>Other Related Links:</h2>
<p>CERT-In Alert: http://www.cyberswachhtakendra.gov.in/alerts/wannacry_ransomware.html</p>
<p>Prevention of WannaCry Ransomware Threat - Session by CERT-In: https://www.youtube.com/watch?v=cuS69fT6caA </p>
<p>US-CERT: https://www.us-cert.gov/ncas/alerts/TA17-132A</p>
<br />
<p>More images of WannaCry Ransonware Testing from NSC Lab, IIITA: </p>
<em><center><img src="ransom/rsz_check_payment_screen.png" target="_blank">
<p>Check Payment Screen</p>
<img src="ransom/rsz_changed_desktop_bg_screen.png" target="_blank"><p>Changed Desktop BG Screen</p>
<img src="ransom/rsz_encrypted_file_as_wcry.png" target="_blank"></p>Encrypted File as WCRY</p></center>
<br/><br/>
<p>Analyzed and tested by MTech Students of Cyber Law and Information Security at NSC Lab, IIIT-Allahabad on 14/05/2017</p>
<center><img src = "ransom/team.jpg" width = "520" height = "250"><em></center>
<p>This article is published by the team of MTech students of CLIS, IIITA</p></em>
<br/>
<center> <?php include("bottom.php"); ?>