WannaCrypt ransomware worm targets out-of-date systems

I clicked on the live News tile in my Start menu (isn't that cute?) and there was this story on North Korea and its "purely" mercenary goals in hacking everything it can. The story is by LA Times entitled: North Korea: Land of Few Computers but Many Hackers. See, plat has money on mind. Still the thinking is that North Korean hackers are behind this one, but do you think it's the Lazarus Group specifically? Not too much info to chew on there. I see you started an Adylkuzz thread. A new, stealthy wave is brewing, right?

Edit: Here's another ad I got from Emsisoft. I'm looking at the red figure, not hard to kind of intuit the nationality of the malware sender they had in mind.

 

Some additional info about DoublePulsar. Note what I underlined:

https://www.bitsighttech.com/blog/u...-industries-is-key-to-protecting-supply-chain

 

Has there been any word from those who paid the ransom? I saw one article that said the criminals had collected about $50K, but there was no mention as to whether or not the victims received a decryption key or not.

This is all I could find...

http://www.pcworld.com/article/3196...-will-probably-get-you-nothing-heres-why.html

 

https://www.wilderssecurity.com/threads/wannacry-ransomware-creators-make-rookie-mistake.394089/

After the kill switch was made inoperable by registering the domain, I believe their was no way to make a ransomware payment even if you wanted to. Hence the low number of payments total.

 

Sorry, my Internet connection is very limited and it will be a huge update. Time is a factor too.

 

https://www.theregister.co.uk/2017/05/18/microsoft_azure_wannacrypt_advice/

 

Trend Micro WannaCry Simple Patch Validation Tool v1.0

Check if your Windows computer is protected against the WannaCry ransomware.

Due to the vulnerability of SMB v1, remote code execution may be conducted on a computer. This will allow attackers to drop the WannaCry ransomware and other infections on a computer. Trend Micro WannaCry Simple Patch Validation Tool is a simple tool that can perform the following:
> checks if Microsoft’s MS17-010 patch has been successfully applied on the computer.
> offers and allows user to disable SMB v1 on computer through registry key.
Note: SMB v1 or Server Message Block version 1 is a protocol used to provide access to shared folders, printers or other peripherals between the network.



https://esupport.trendmicro.com/en-...wd=KB-_-prd=gen-_-src=KB1117393-_-loc=Default

 

https://arstechnica.com/security/20...-wcry-can-be-decrypted-without-paying-ransom/

 

According to this article, XP was not vulnerable to this attack.

 

I already posted about this. Only works on some XP installations. The hack is to get the ransomware decryptor key to reveal itself in memory.

And yes, all XP installations without the patch applied are vulnerable.

 

That makes sense and I must have read it wrong. Didn't see that part about XP being patched in his article.

 

Yes, I also didn't know that. So it was only 7 and 8/8.1?

https://twitter.com/VessOnSecurity/status/865203180677812225

EDIT: https://twitter.com/GossiTheDog/status/865256662319411201

 

OK so the worm can't infect XP even without the patch but the ransomware can only if it is run manually?

 

So it seems. An all along I thought XP was main target OS.

 

That is what I was led to believe also.

 

For the life of me, I don't know where this "worm" business is coming from. WannaCry is not a worm! Here is the definition of a computer worm: https://en.wikipedia.org/wiki/Computer_worm . What worms do is infect other devices on the network with malware. WannaCry did not do such activity.

Lets review again what WannaCry did. Let's also assume the delivery mechanism was an infected e-mail. A user on a vulnerable unpatched client computer opens the e-mail. RannaCry then deploys stage one of its attack. It run its exploit of the SMB vulnerability from that client computer which allows it access to all networks shares i.e. all joined shared network drives. RannaCry then deploys stage two of its attack which is to encrypt all the drives that it has access to from the infected client computer. It is assumed that the client computer had full access to the targeted network shares i.e. R/W/D which would allow the ransomware portion of this attack to run unimpeded. For all practical purposes, it would be the same as ransomware encrypting all local drives installed in a stand alone PC.

 

Detail analysis of DoublePulsar exploit against an unpatched Win 2008 R2 SP1 x64 box here: https://zerosum0x0.blogspot.it/2017/04/doublepulsar-initial-smb-backdoor-ring.html?m=1 . Note that DoublePulsar is a kernel level SMB exploit.

 

I'm a little late to the party and have not read the all the latest in this thread but throwin this in - sorry if it's a dupe:

"French based researcher suggests method for WannaCry victims to decrypt data without paying ransom...

https://www.onmsft.com/news/french-...victims-to-decrypt-data-without-paying-ransom

Edit:

oOops: Yeah, I see it's dupish.

 

Thank you for the article. I didn't see it in another threat so it's good to have it here too.

 

http://blog.emsisoft.com/2017/05/18/wannacry-ransomware-interview/

 

I find it peculiar that an unsophisticated, nothing special "copy and paste" ransomware was delivered by such a top-drawer exploit, taken from the NSA.

Maybe whoever was behind it figured the exploit was virtually guaranteed so nothing fancy was necessary.

 

@itman
As I understand it's this "worm" part of malware that enabled it to spread so fast. And it's not just accessing files on networked machines it's actually infecting systems on network through SMB1 exploit.

Here is one video showing it: https://twitter.com/GossiTheDog/status/863568506012520449

For me question remains if exploit implementation works on Windows XP or not.

 

I stand corrected, it is a worm after all. The below U.S. CERT article gives the best explanation of how the ransomware portion of WannaCry is propagated throughout the network. Basically, the source infected computer spreads the ransomware payload to other network connected devices using the SMBv1 exploit via port 445. It is assumed that all devices on the network are unpatched:

https://www.us-cert.gov/ncas/alerts/TA17-132A

As far as Win XP goes, I would say it would be most vulnerable if unpatched. There have been numerous past SMB exploits against Win XP. You can scroll through the list of XP vulnerabilities here: http://www.cvedetails.com/vulnerabi...&sha=96656e0273b52e8473fbf8b6371fe2ed4a0f8ae8 to find them.

Almost all firewalls have default rules to allow inbound port 137-139, and 445 traffic from the trusted network if file sharing is enabled.

 

WannaCry decryptor here: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d . Confirmed to work on Win XP and Win 7.

Note: I believe this will work only after you have been infected and the ransomware screen appears. If you subsequently have rebooted, I believe this decryptor will not work since ransomware decryptor key is no longer in memory.

 

Well it's been one week; I read with interest the posts on page 13 of this thread:

https://www.wilderssecurity.com/threads/ransomware-and-recent-variants.384890/page-13

My question is: if the main motive was mass chaos and disruption of business, what other worm-assisted malware would also accomplish this, without request for revenue, maybe with more devastating results? Was ransomware chosen purely for its mass file-altering properties? Was this saber-rattling? If this is a smokescreen, that a decryption key could be developed is fuel for this theory, right? The revenue from the WCry is just gravy, then.

Edit: If you've seen one of those North Korean displays of military might on TV, you'd wonder about cyber saber rattling. Speculation, speculation.