Tuesday 23 May 2017

WannaCry/WCRY 2.0 - What do we know?

On Friday 12th May, we were all made aware of a global ransomware attack, which hit nearly 200 countries, infecting over 300,000 Windows machines.  Named WannaCry/WCRY 2.0, it encrypts your data and demanded a ransom of US$300 payable in Bitcoins (electronic currency).


Looking back to earlier in 2017, shows how WannaCry evolved.

14th March 2017 - Microsoft leased a patch it classified as Critical as part of its month patch cycle.  The patch was called MS17-010 which resolved a vulnerability in the SMBv1 server on machines running Windows workstation and server operating systems.

14th April 2017 - Shadow Brokers leak the NSA hacking tools which exploited the MS17-010 vulnerability.

14th April 2017 - WannaCry/WCRY 1.0 was released

12th May 2017 - WannaCry/WCRY 2.0 was released


WannaCry/WCRY 1.0 was a spam campaign, which delivered its payload via compromised or malicious Dropbox accounts.  To all intents and purposes, it felt like a typical ransomware attack, delivering an email with a link, the user clicking on the link to download the ransomware, the ransomware would exploit a vulnerability (in this case MS17-010) and then encrypt the data.

Why is WannaCry/WCRY 2.0 different?

It is believed that WannaCry/WCRY 2.0 was not distributed via email, nor was it caused by clicking on a link.

WannaCry/WCRY 2.0 scans for Windows machines that are running SMBv1, and will try to infect them.  I say try to infect them, because if the machine had the MS17-010 patch installed, it could not be infected.  The ransomware will exploit the vulnerability, install and encrypt the data.  WannaCry/WCRY 2.0 also has a worm like characteristic, where it will scan the local network and random external IP address to see if they are running SMBv1 and try to infect them as well.

The clever part of this ransomware, is that it requires no user interaction to initiate it or to spread it.

What as the criminal gain?

Some organisations have been monitoring the Bitcoin wallet and they estimate that the financial gains from this attack is in the region of US$65-70,0000, which doesn't sound like a great deal.

Whose vulnerable now?

Using Shodan it's possible to search for Windows machines on the internet using the SMBv1 protocol.  Of course, it doesn't show if these machines have been patched to prevent MS17-010 from being exploited.

No comments:

Post a Comment