Jack O'Sullivan
March 22 2021
Update 22/05/2017 - 10:00am
Wanakiwi recovers your files
Researchers have discovered a flaw in the "WannaCry" ransomware which can be used to recover your encrypted files. The conditions where this will work are:
If you are in this situation then you can use "wanakiwi" (https://github.com/gentilkiwi/wanakiwi) to extract the decryption key from the system memory to recover your files. It is tested to work on Windows XP through to Windows 7, and the information security community has been feeding back that it works reliably.
Update 15/05/17 21:00
Using Nmap to detect nodes vulnerable to MS17-010
The WannaCry ransomware attack is currently exploiting a flaw within Microsoft Windows which is addressed by their MS17-010 update. If you want assurance that your hosts are protected against this then you can use a freely available tool called “nmap” which has released a detection script.
On Windows
To install nmap on Windows you should follow the guide here:
Note that this will install “winpcap” which will require you to restart your machine.
On Linux
Nmap is available as a package for most Linux distributions so you can use your package manager as shown below:
This will not require a restart and should work.
Troubleshooting
When investigating this script it was found that it did not work on older versions of nmap. We have confirmed that it works on nmap 7.40 which was the latest release from the Debian release stream.
How to scan a host for MS17-010
Download the new “smb-vuln-ms12-010.nse” script from the link below:
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse
Then the syntax to launch a scan is shown below:
nmap -p 445 -script=./smb-vuln-ms17-010.nse <<IP ADDRESS or RANGE>>
For example, if your network range is 192.168.0.1-255 then you could scan your entire range using this command:
nmap -p 445 -script=./smb-vuln-ms17-010.nse 192.168.0.1-255
The following shows the output of the script when executed against one vulnerable target:
Update 15/05/17 13:20
Variants Increase to Number in the Hundreds, Microsoft takes a Swipe at the NSA
Anti-virus companies have reported a surge in the number of wannacry variants they have detected. One company AV-TEST has identified 452 unique variants of wannacry in the last 24 hours. It is unclear if these variants are part of the original attack using the MS17-010 exploit or just variants of the wannacry ransomware itself. Either could be the case. The numbers could be achieved by the original creators modifying their code to use different command and control servers for example. As the exploit is publicly available others could be combining it with the wannacry ransomware to create a duplicate worm. Equally likely is the case that the wannacry ransomware is now particularly popular among various different cybercriminals who will be distributing it my more traditional methods such as email attachments. It is likely it will turn out to be a combination of all three approaches.
On a related note, Brad Smith President and Chief Legal Officer of Microsoft has written a blog post specifically calling out the US Government and the NSA for not disclosing the vulnerability which allowed this attack to be so devastatingly effective. Smith writes
“this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#0JoDsUEdL4C3Wllt.99
Update 14/05/17 12:33
In an astonishingly short amount of time at least two new variants have been created. One variant appears to have removed the kill switch completely. However due to an error in the code the ransomware element appears not to be functional. The way in which this was done suggests that this attacker did not have access to the original code. Editing the kill switch out of the hexadecimal version of the code appears to have “broken” the ransomware functionality.
A second variant with a different kill switch URL of
Ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Was identified by by cloud company Comae.io, registered and halted. https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
Given the ease with which new variants may now be developed an increase in numbers and modifications is predicted to occur within a matter of hours.
Update 13/05/17 20:16
Bitcoin Addresses, Command and Control Servers Identified, Attack Halted Temporarily.
The following addresses are the links to the bitcoin wallets where the ransom demanded is required to be sent to:
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Analysis of the code has identified five Command and Control servers using the anonymous TOR service. These are the addresses the malware reaches back to for further instructions:
The tor network is a collection of servers which can be used to access the internet in an anonymous fashion. Originally developed by the American navy in the 1990’s, tor sends traffic through multiple servers run by volunteers throughout the world. Put simply each server only knows where a request has come from and where it has to go to next creating a long chain which separates any given user from the site or service they are trying to reach. Websites and servers on tor are identified by “.onion” addresses. Taken from tor’s name as “The Onion Router” which reflects the many layers used to achieve anonymity. As such tor sites are a perfect way to control malware such as this due to the extreme difficulty in finding out who it in control of any given site.
https://en.wikipedia.org/wiki/Tor_(anonymity_network)
Attack Halted for now …
On Friday it was identified that the malware contains a “kill switch”. This is a URL which the malicious software checks before it commences encrypting files. A british researcher, using the twitter handle @malwaretechblog noticed that the address had not actually been registered and proceed to do so for just £8. The address in question is:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
This has effectively stopped the spread of the original worm, however anyone with even basic computer skills would be able to remove this failsafe and further variants are predicted to be on the way. The full story may be found here http://www.bbc.co.uk/news/technology-39907049
Update - 13/05/17 14:48
Global Impact
As the attack continues a large number of organisations around the world have been affected. So far examples of affected organisations are:
Update - 13/05/17 13:37
It has been over 24 hours since this attack reached the media and to some extent the initial panic has died down to be replaced with a sigh of relief, thanks for what was described as “accident” which halted the spread and an uncomfortable feeling of uncertainty of what may come next. Here is what we now know…
The malware was indeed a ransomware variant known as wannacry or Wcry or wannacryptor 2.0. It seems the attack worked like a worm, a type of malicious software which propagates itself. As mentioned before the attack used a known vulnerability in SMB to gain entry, encrypt one machine then scan for other connected machines on the network in order to continue the attack. Though certainly in the UK the press latched on to the fact that the attack had caused a lack of availability and access to many NHS systems it is now clear that this was simply an effect of a much larger assault on all systems in the world running unpatched versions of SMB.
----------------------------------------------------------------------------------------------------------
Overview
This afternoon the press reported a major cyber attack on the NHS. This has caused the Internet to descend into virtual meltdown with contradictory statements, ill-informed opinion, supposition and speculation abounding. At the time of writing the following high level details are known:
The attack appears to use the “EternalBlue” exploit MS17-010 which was recently exposed by a group called “The Shadow Brokers” who, it is alleged, acquired the exploit by hacking into servers owned by the American National Security Agency (NSA). The exploit leverages a vulnerability in the SMB protocol.
SMB standing for Server Message Block uses TCP port 445. It is a long standing Windows protocol which allows computers to communicate with each other to perform functions such as shared access to files or printers. SMB is designed for use on local area networks and should not be exposed to the Internet. However, security misconfigurations may result in this being the case.
Kaspersky states that the current global extent of the attack and the total number of vulnerable devices number at least 200K. They estimate that 46K devices have been attacked and 150K devices are currently “at risk”.
Recommended triage action
Our comment on this is simple: 150K people should drop everything they are doing to take action now. To triage the problem take these actions in whichever order you can:
Each action should address the problem on its own. However, Secarma recommend taking both.
What is ransomware?
Ransomware is a relatively recent cyber attack method. It is frequently delivered via a phishing attack where a user is lured into clicking on a link in an email or opening a malicious attachment. The email is used to encourage the victim to interact with a “payload”. In the case of ransomware the payload results in data on the victim’s computer being encrypted rendering it useless.
A ransom is then demanded in order to decrypt the data. In the example of a single computer strategies such as regular offline backups are sufficient to deal with such a threat. However, in the cases of computers which are part of a bigger system, which have access to stores of shared files, to network resources, to databases, the ransomware may spread like a virus.
Infecting one computer will not only hold it to hostage but may encrypt every other machine which it is connected to and in turn every machine that is connected to, creating a cascade effect. This means that a cybercriminal can hold an entire organisation hostage by achieving just one successful infection. Such seems to be the case here.
Due to the relative simplicity of the code required and the ease with which anyone with even basic computing skills may send tens of thousands of emails at once. This has become an effective and lucrative method of extorting money.
Was this targeting the NHS?
This attack, which was most likely not aimed at the NHS in particular, is a worrying development. In recent years sensitive organisations along with individuals have been victims of this attack vector. Examples include hospitals, police departments and schools to name a few. In this case, where multiple medical institutions have been effected, there is a real danger of loss of life.
Take the example of an emergency patient who is admitted to hospital in the following hours where access to their medical history is not currently available. This is perhaps one of the first true examples of a cyber attack becoming “kinetic”. This is a term experts use to identify an attack which has material consequences in reality.
Further analysis
Secarma consultants are investigating this issue and are standing by to help any organisation affected by this incident. We are analysing the extent of the attack, its origins and providing support to clients at this time of need. As this attack is likely based on phishing emails Secarma has developed a course to inform and train staff on how to avoid such attacks. Details of this course and how Secarma consultants can help your company or organisation may be found by contacting enquiries@secarma.com
Sources at Police Scotland have told Secarma "we are all equally worried about this development and the whole intel community is working together to fix this".
Although the sensationalists in cybersecurity talk about advanced and complex threats, this attack has come from a known vulnerability.
Long term mitigation advice
Secarma consultants offer the following advice to mitigate this and similar attacks in the future: