WannaCrypt ransomware appeared on May 12, 2017 and distributes itself like a typical worm. It uses well known, and already patched vulnerabilities in the SMBv1 implementation of Windows based systems.
The Exploit that the WannaCrypt ransomware is known as “EternalBlue” vulnerability (CVE-2017-0145). It sends a special package (or packages) to the target systems SMBv1 server.
Some engineers/analysts reported that the initial wave arrived via social engineering emails, that tricked users to download the malware. Others found, that many companies didn’t block netbios traffic on their firewalls and/or Internet routers.
What kind of systems are at risk: All older Windows based systems! According to Microsoft, Windows 10 systems are NOT at risk. But the patches are available, and it’s always a great idea to remove SMBv1 from all of your systems (whenever this is possible).
At we are not talking about a PC only problem! There are many functional devices (think about what happened to the Deutsche Bahn during the weekend) that uses Windows as the operating system. Many of these embedded systems and functional devices use older windows versions. So these could be the systems at the biggest risk!
Some researchers warned, that there many (>140, and counting) variants of the WannaCrypt ransomware! So be aware of that and apply all necessary patches as soon as possible.
If you need to scan your Active Directory and or available system: There is a script for that.
A researcher found a kind of a Kill-Switch: The WannaCrypt ransomware tries to contact the following Domains/Host names:
The infected system tries to access these via the API call InternetOpenUrlA() on port 80 (http).
If these Domains/Hosts are accessible, the initial variant of the WannaCrypt ransomware seems to stop. It doesn’t encrypt any local data, and it looks like it doesn’t try to redistribute itself any further.
You should not block these Domains/Hosts. And doesn’t seem to be proxy aware. Admins should white list these or add a DNS record for them. For a customer, we decided to redirect these domains to a local Webserver, and the admins monitor any access to the server. I’m not 100% sure that this works, but this could be an option to find infected systems.
What could you do to protect your networks and systems?
- Install all necessary Patches and Hotfixes!
- Update your Anti-Virus product (All major vendors have published updates to detect and remove Win32/WannaCrypt)
- Block Netbios (minimum TCP Port 445) on your Internet Routers and/or Firewalls
Optional: Block all Netbios/SMB related ports on your Internet Routers and/or Firewalls!
You should block the following ports:
- UDP/137 (netbios-ns)
- TCP/137 (netbios-ns / unusual)
- UDP/138 (netbios-dgm)
- TCP/139 (netbios-ssn)
- TCP/445 (microsoft-ds)
There should be no impact on anything! Why should you use Netbios over the unsecured Internet?
If you have any infected system, contact your local law enforcement agencies!
I highly recommend to talk to your users. I know; this is unusual for many IT guys, but a good communication is the key of prevention. And your users should be informed by you and not via any mainstream media (or even guys like me)!
In short: This is far from over! Be aware of that and keep an eye on your systems!
The Microsoft Windows Security Team published a great article with more detailed information and a solid and very detailed wrap up.
The WannaCrypt ransomware is also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY. AV vendors name is Win32/WannaCrypt.