As we’re sure you’ve all seen already, WannaCrypt is a pretty big ransomware exploit found in Windows that is spreading across multiple countries. The malware exploits an SMB flaw that Microsoft had provided a patch for in March. SMB, or Server Message Block, is a network file sharing protocol. SMB can be an extremely vulnerable protocol, and on older and unpatched Windows machines, is one of the lowest hanging fruit that penetration testers (and hackers) will attempt to exploit.
WannaCrypt first may gain access to a computer system via an email attachment. Upon download, the code goes through a number of file extensions on the computer changing the file extension and encrypting the files. After encrypting all the files on the system, the software will change the wallpaper to a message demanding payment which increases with time. Similar to a worm, the ransomware can quickly infect unpatched machines on the same network and also scans externally facing IPs across the Internet looking for SMB on TCP port 445.
A security researcher, known as MalwareTech, was able to find that WannaCrypt will attempt to connect to a URL: (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com).
The domain is thought to be a kill switch written into the malware in case the creator wanted to stop it spreading.
If the connection to the domain was successful, the software would stop executing and would not infect the system further. However, if the connection were to fail, the code would continue to execute and create a service on the system. Some companies were blocking the domain the software connected to in their firewall, which just caused the ransomware to continue spreading and encrypting files. (More in-depth malware analysis is listed here.)
MalwareTech was able to stop the spread by purchasing the domain name of the site that the software attempts to connect to. Unfortunately, there are new variants already (WannaCry 2.0 does not have a kill switch) and surely more to come.
WannaCrypt will target all Windows machines not patched with MS-17-010. Microsoft has released patches back for unsupported Windows versions in an attempt to reduce the spread.
The good news is that FormAssembly was not affected.
A few takeaways from this: Be extremely cautious of any phishing or spam attempts. Do not download any attachments you are not expecting from anyone. Verify via a secondary medium upon receiving anything suspicious. Keep your systems up-to-date with security patches, regardless of the operating system you’re using. If you don’t already have automatic updates on, turn them on.
If you run Windows and have not already installed the patch, do so immediately. Also consider disabling SMBv1. You can check out this resource for more information on how to protect yourself.
Like this post? Read a past Security Newsletter post here.