A Note on WannaCry/WanaCrypt0r Ransomware

Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named 'Wannacry' has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen. This has affected computers in India also.
 
About the Wanacrypt0r Ransomware
 
Wanacrypt0r is a ransomware that infects windows systems by exploiting a vulnerability called EternalBlue.  The exploit allows access to a remote machine via SMBV1 protocol. Microsoft patched this flaw in March as MS17-010. Wanacryptor is also known as “wannacry, wcry and wannacrypt.
 
How does Wanacrypt0r work?
 
It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically spreading itself in a network by means of a vulnerability in Windows SMB. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network.
 
The wanacrypt0r exploit once downloaded and gets extracted, it further downloads TOR browser client (https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip) and installed TOR browser is used to communicate with C2 (Command and Control) servers.
 
The ransomware encrypts the user files with “.wcry, .wncry, .wnry, .wncryt” extensions.

As with any form of online threat, safeguarding entry points is key. The following is a list of technical controls for preventing the ransomware from infecting the enterprise network: 

  • Installing latest Windows updates and security patches especially MS17-010
  • Disabling SMBV1 as it is not required for modern version of Windows
  • Preventing the creation of registry keys (HKLM/Software/wanacrypt0r)
  • Identification and removal of suspicious files such as “taskdl.exe, taskse.exe, taskche.exe, mssecsvc.exe, @WanaDecryptor@.exe etc.  in folders like C:\ProgramData, C:\Windows.
  • Identification and removal of suspicious batch files such as “131181494299235.bat, 176641494574290.bat, 217201494590800.bat” etc.
  • Identification and blocking of the IP addresses already reported as sources – given below are some of them:
    • 197.231.221.221:9001
    • 128.31.0.39:9191
    • 149.202.160.69:9001
    • 46.101.166.19:9090
    • 91.121.65.179:9001
    • 2.3.69.209:9001
    • 146.0.32.144:9001
    • 50.7.161.218:9001
    • 217.79.179.177:9001
    • 213.61.66.116:9003
    • 212.47.232.237:9001
    • 81.30.158.223:9001
    • 79.172.193.32:443
    • 38.229.72.16:443.
  • Identification and blocking of the “tor” communication from the network traffic, below given are the tor nodes/domains:
    • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
    • Rphjmrpwmfv6v2e[dot]onion
    • Gx7ekbenv2riucmf[dot]onion
    • 57g7spgrzlojinas[dot]onion
    • xxlvbrloxvriy2c5[dot]onion
    • 76jdd2ir2embyv47[dot]onion
    • cwwnhwhlz52maqm7[dot]onion
  • Using of behavior blocker tools to identify and block suspicious behavior of the programs ( such as emsisoft anti-malware)
Some useful links:
 
 

 

Rate this article: 
Average: 1 (3 votes)
Article category: 
Keywords: