Advisory May 13, 2017

WannaCrypt Ransomware Attack

We would like to make you aware of a new ransomware that has been spread since 12th of March worldwide affecting hundreds of thousands of Windows computers and for which you should be considering the application of an emergency security patch update that Microsoft has released few hours ago.

The ransomware is called WannaCrypt and is using the latest NSA leaked exploits which have been identified as EternalBlue. It is also known as WannaCry, Wcry or Wanna Decryptor and spreads by leveraging a Windows SMB vulnerability (MS17-010).

The ransomware affects Windows 7 and Windows Server 2008 (or earlier OS) systems which have not been patched against the Windows SMB vulnerability (MS17-010). Once a windows computer is infected, it locks files on the computer and requires victims to pay $300 in Bitcoins to allow getting control back of their systems.

How is spreading:

Social engineering or spam emails is the typical attack vector, asking the users to click on a link within email or download and execute a PDF file or other attachment containing the exploitation code.
A file mssecsvc.exe is installed and executes the file tasksche.exe to create a service mssecsvc2.0. This service gets the IP address of the machine and attempts to connect to each IP address in the same subnet over port 445 (TCP).
If the connection is successful the malicious session is initiated and data are transferred.

What our customers should do as part of mitigation and prevention actions

  • Ensure all Windows-based systems are patched with the latest security updates. At a very minimum, the security patch for MS17-010 vulnerability should be downloaded from:
  • Close all public facing SMB (ports TCP 139, 445)
  • Ensure blocking any connections to TOR nodes and TOR -related traffic on network.
  • Ensure that anti-malware software is running on all endpoints in the organization and ensure that the software regularly receives malware signature updates.
  • Users are strongly encouraged to back up frequently their data to be able to restore them in case their devices have been infected with the malware.
  • Users are strongly advised that do not open emails that contain links or attachments from unknown recipients or when the subject or content of the email is unusual to them.

Additional Info / IoC:

Reported hash values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa