National Cyber Awareness System:
05/12/2017 09:36 PM EDT
Original release date: May 12, 2017 | Last revised: May 16, 2017
Systems AffectedMicrosoft Windows operating systems OverviewAccording to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in over 150 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S. This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming. DescriptionInitial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector may be through phishing. Technical DetailsIndicators of Compromise (IOC)IOCs are provided within the accompanying .xlsx file of this report. IOCs were developed based on analysis of the malware and can be found in STIX format. AnalysisThree files were submitted to US-CERT for analysis. All files are confirmed as components of a ransomware campaign identified as "WannaCry", a.k.a "WannaCrypt" or ".wnCry". The first file is a dropper, which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files. For a list of IOCs found during analysis, see the STIX file. Displayed below are YARA signatures that can be used to detect the ransomware: Yara Signatures
DropperThis artifact (
Displayed below is a sample request observed:
If a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect the system with ransomware.
Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network
Note: ImpactRansomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed. SolutionRecommended Steps for Prevention
Recommendations for Network Protection Apply the patch (MS17-010). If the patch cannot be applied, consider:
Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations and consider implementing the following best practices:
Recommended Steps for Remediation
Defending Against Ransomware Generally Precautionary measures to mitigate ransomware threats include:
Report Notice DHS and FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report information to DHS or law enforcement immediately. We encourage you to contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) (NCCICcustomerservice@hq.dhs. References
Revision History
|