WannaCrypt ransomware worm targets out-of-date systems

Discussion in 'malware problems & news' started by ronjor, May 13, 2017.

  1. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    959
    Location:
    Da mean streets of Brooklyn
    I clicked on the live News tile in my Start menu (isn't that cute?) and there was this story on North Korea and its "purely" mercenary goals in hacking everything it can. The story is by LA Times entitled: North Korea: Land of Few Computers but Many Hackers. See, plat has money on mind. :blink: Still the thinking is that North Korean hackers are behind this one, but do you think it's the Lazarus Group specifically? :doubt: Not too much info to chew on there. I see you started an Adylkuzz thread. A new, stealthy wave is brewing, right?

    Edit: Here's another ad I got from Emsisoft. I'm looking at the red figure, not hard to kind of intuit the nationality of the malware sender they had in mind. :)
    emis ad.PNG
     
    Last edited: May 17, 2017
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,990
    Location:
    U.S.A.
    Some additional info about DoublePulsar. Note what I underlined:
    https://www.bitsighttech.com/blog/u...-industries-is-key-to-protecting-supply-chain
     
    Last edited: May 17, 2017
  3. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,090
    Location:
    Triassic
    Has there been any word from those who paid the ransom? I saw one article that said the criminals had collected about $50K, but there was no mention as to whether or not the victims received a decryption key or not.

    This is all I could find...
    http://www.pcworld.com/article/3196...-will-probably-get-you-nothing-heres-why.html
     
    Last edited: May 17, 2017
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,990
    Location:
    U.S.A.
    https://www.wilderssecurity.com/threads/wannacry-ransomware-creators-make-rookie-mistake.394089/
    After the kill switch was made inoperable by registering the domain, I believe their was no way to make a ransomware payment even if you wanted to. Hence the low number of payments total.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,089
    Location:
    Saudi Arabia/ Pakistan
    Sorry, my Internet connection is very limited and it will be a huge update. Time is a factor too.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
    https://www.theregister.co.uk/2017/05/18/microsoft_azure_wannacrypt_advice/
     
  7. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,074
    Location:
    UK
    Trend Micro WannaCry Simple Patch Validation Tool v1.0

    Check if your Windows computer is protected against the WannaCry ransomware.

    Due to the vulnerability of SMB v1, remote code execution may be conducted on a computer. This will allow attackers to drop the WannaCry ransomware and other infections on a computer. Trend Micro WannaCry Simple Patch Validation Tool is a simple tool that can perform the following:
    > checks if Microsoft’s MS17-010 patch has been successfully applied on the computer.
    > offers and allows user to disable SMB v1 on computer through registry key.
    Note: SMB v1 or Server Message Block version 1 is a protocol used to provide access to shared folders, printers or other peripherals between the network.



    https://esupport.trendmicro.com/en-...wd=KB-_-prd=gen-_-src=KB1117393-_-loc=Default
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
    https://arstechnica.com/security/20...-wcry-can-be-decrypted-without-paying-ransom/
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,492
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,990
    Location:
    U.S.A.
    I already posted about this. Only works on some XP installations. The hack is to get the ransomware decryptor key to reveal itself in memory.

    And yes, all XP installations without the patch applied are vulnerable.
     
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,492
    That makes sense and I must have read it wrong. Didn't see that part about XP being patched in his article.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
  13. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,492
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
    So it seems. An all along I thought XP was main target OS.
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,492
    That is what I was led to believe also.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,990
    Location:
    U.S.A.
    For the life of me, I don't know where this "worm" business is coming from. WannaCry is not a worm! Here is the definition of a computer worm: https://en.wikipedia.org/wiki/Computer_worm . What worms do is infect other devices on the network with malware. WannaCry did not do such activity.

    Lets review again what WannaCry did. Let's also assume the delivery mechanism was an infected e-mail. A user on a vulnerable unpatched client computer opens the e-mail. RannaCry then deploys stage one of its attack. It run its exploit of the SMB vulnerability from that client computer which allows it access to all networks shares i.e. all joined shared network drives. RannaCry then deploys stage two of its attack which is to encrypt all the drives that it has access to from the infected client computer. It is assumed that the client computer had full access to the targeted network shares i.e. R/W/D which would allow the ransomware portion of this attack to run unimpeded. For all practical purposes, it would be the same as ransomware encrypting all local drives installed in a stand alone PC.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,990
    Location:
    U.S.A.
  18. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    2,984
    Location:
    DC Metro Area
  19. 1timeuserrr

    1timeuserrr Registered Member

    Joined:
    Mar 12, 2009
    Posts:
    59
    Thank you for the article. I didn't see it in another threat so it's good to have it here too.
     
  20. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    464
    http://blog.emsisoft.com/2017/05/18/wannacry-ransomware-interview/

     
  21. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    959
    Location:
    Da mean streets of Brooklyn
    I find it peculiar that an unsophisticated, nothing special "copy and paste" ransomware was delivered by such a top-drawer exploit, taken from the NSA.

    Maybe whoever was behind it figured the exploit was virtually guaranteed so nothing fancy was necessary.
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,149
    @itman
    As I understand it's this "worm" part of malware that enabled it to spread so fast. And it's not just accessing files on networked machines it's actually infecting systems on network through SMB1 exploit.

    Here is one video showing it: https://twitter.com/GossiTheDog/status/863568506012520449

    For me question remains if exploit implementation works on Windows XP or not.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,990
    Location:
    U.S.A.
    I stand corrected, it is a worm after all. The below U.S. CERT article gives the best explanation of how the ransomware portion of WannaCry is propagated throughout the network. Basically, the source infected computer spreads the ransomware payload to other network connected devices using the SMBv1 exploit via port 445. It is assumed that all devices on the network are unpatched:
    https://www.us-cert.gov/ncas/alerts/TA17-132A

    As far as Win XP goes, I would say it would be most vulnerable if unpatched. There have been numerous past SMB exploits against Win XP. You can scroll through the list of XP vulnerabilities here: http://www.cvedetails.com/vulnerabi...&sha=96656e0273b52e8473fbf8b6371fe2ed4a0f8ae8 to find them.

    Almost all firewalls have default rules to allow inbound port 137-139, and 445 traffic from the trusted network if file sharing is enabled.
     
    Last edited: May 19, 2017
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,990
    Location:
    U.S.A.
  25. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    959
    Location:
    Da mean streets of Brooklyn
    Well it's been one week; I read with interest the posts on page 13 of this thread:

    https://www.wilderssecurity.com/threads/ransomware-and-recent-variants.384890/page-13

    My question is: if the main motive was mass chaos and disruption of business, what other worm-assisted malware would also accomplish this, without request for revenue, maybe with more devastating results? Was ransomware chosen purely for its mass file-altering properties? Was this saber-rattling? If this is a smokescreen, that a decryption key could be developed is fuel for this theory, right? The revenue from the WCry is just gravy, then.

    Edit: If you've seen one of those North Korean displays of military might on TV, you'd wonder about cyber saber rattling. Speculation, speculation.
     
    Last edited: May 19, 2017
Loading...