Rapid7 Blog

Worms  

Wanna Decryptor (WNCRY) Ransomware Explained

Mark the date: May 12, 2017. This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt” burst — literally — onto the scene with one of the initial targets being the British National Health Service. According to The Guardian: the “unprecedented attack… affected 12 countries and at least…

Mark the date: May 12, 2017. This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt” burst — literally — onto the scene with one of the initial targets being the British National Health Service. According to The Guardian: the “unprecedented attack… affected 12 countries and at least 16 NHS trusts in the UK, compromising IT systems that underpin patient safety. Staff across the NHS were locked out of their computers and trusts had to divert emergency patients.” A larger estimate by various cybersecurity firms indicates that over 70 countries have been impacted in some way by the WannaCry worm. As of this post's creation time, a group with the Twitter handle @0xSpamTech has claimed responsibility for instigating the attack but this has not yet been confirmed. What is involved in the attack, what weakness(es) and systems does it exploit, and what can you do to prevent or recover from this attack? The following sections will dive into the details and provide guidance on how to mitigate the impact from future attacks. What is "Ransomware"? Ransomware "malicious software which covertly encrypts your files – preventing you from accessing them – then demands payment for their safe recovery. Like most tactics employed in cyberattacks, ransomware attacks can occur after      clicking on a phishing link or visiting a compromised website.” (https://www.rapid7.com/solutions/ransomware/) However, WannaCry ransomware deviates from the traditional ransomware definition by including a component that is able to find vulnerable systems on a local network and spread that way as well. This type of malicious software behavior is called a “worm” and the use of such capabilities dates back to 1988 when the Morris Worm spread across the internet (albeit a much smaller neighborhood at the time). Because WannaCry combines two extremely destructive capabilities, it has been far more disruptive and destructive than previous cases of ransomware that we've seen over the past 18-24 months. While the attackers are seeking ransom — you can track payments to their Bitcoin addresses: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 here: https://blockchain.info/address/ — there have been reports of this also corrupting drives, adding a destructive component as well as a ransom-recovery component to the attack. What Systems Are Impacted? WannaCry only targets Microsoft Windows systems and is known to impact the following versions: Microsoft Windows Vista SP2 Windows Server 2008 SP2 and R2 SP1 Windows 7 Windows 8.1 Windows RT 8.1 Windows Server 2012 and R2 Windows 10 Windows Server 2016 Windows XP However, all versions of Windows are likely vulnerable and on May 13, 2017 Microsoft issued a notification that included links to patches for all impacted Windows operating systems — including Windows XP. As noted, Windows XP is impacted as well. That version of Windows still occupies a 7-10% share of usage (as measured by NetMarketshare): and, this usage figure likely does not include endpoint counts from countries like China, who have significant use of “aftermarket” versions of Windows XP and other Windows systems, making them unpatchable. The “worm” component takes advantage of a Remote Code Execution (RCE) vulnerability that is present in the part of Windows that makes it possible to share files over the network (known as “Server Message Block” or SMB). Microsoft released a patch -MS17-010 - for this vulnerability on March 14th, 2017 prior to the release of U.S. National Security Agency (NSA) tools (EternalBlue / DoublePulsar) by a group known as the the Shadow Brokers. Rapid7's Threat Intelligence Lead, Rebekah Brown, wrote a breakdown of this release in a blog post in April. Vulnerability detection tools, such as Rapid7's Metasploit, have had detection capabilities for this weakness for a while, with the most recent Metasploit module being updated on April 30, 2017. This ransomworm can be spread by someone being on public Wi-Fi or an infected firm's “guest” WiFi and then taking an infected-but-not-fully-encrypted system to another network. WannaCry is likely being spread, still, by both the traditional phishing vector as well as this network worm vector. What Can You Do? Ensure that all systems have been patched against MS17-010 vulnerabilities. Identify any internet-facing systems that have not been patched and remediate as soon as possible. Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems. Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. NOTE: The Rapid7 Managed Detection & Response (MDR) SOC has developed detection indicators of compromise (IOCs) for this campaign, however we are only alerted once the malware executes on a compromised system. This is not a mitigation step. UPDATE - May 15, 2017: For information on how to scan for, and remediate, MS17-010 with Nexpose and InsightVM, please read this blog. A Potentially Broader Impact We perform regular SMB scans as a part of Project Sonar and detected over 1.8 million devices responding to full SMB connection in our May 3, 2017 scan: Some percentage of these systems may be Linux/UNIX servers emulating the SMB protocol but it's likely that a large portion are Windows systems. Leaving SMB (via TCP port 445) open to the internet is also a sign that these systems are not well maintained, and are also susceptible to attack. Rapid7's Heisenberg Cloud — a system of honeypots spread throughout the internet — has seen a recent spike in probes for systems on port 445 as well: Living With Ransomware Ransomware has proven to be an attractive and lucrative vector for cybercriminals. As stated previously, backups, along with the ability to quickly re-provision/image an impacted system, are your only real defenses. Rapid7 has additional resources available for you to learn more about dealing with ransomware: Understanding Ransomware: https://www.rapid7.com/resources/understanding-ransomware/ Ransomware FAQ: /2016/03/22/ransomware-faq-av oiding-the-latest-trend-in-malware If you'd like more information on this particular ransomworm as seen by Project Sonar or Heisenberg Cloud, please contact research [at] rapid7 [dot] com. Many thanks to the many contributors across Rapid7 who provided vital information and content for this post. For more information and resources on WannaCry and ransomware, please visit this page.

Federal Friday - 12.13.13 - Phishing with Tumblr and Pricing for Worms

Happy Friday fed friends! Another week comes to a close leaving us with 12 days to finish up the holiday shopping. Word out of the North Pole is that Santa has a new tool to check who's been naughty or nice this year .There have…

Happy Friday fed friends! Another week comes to a close leaving us with 12 days to finish up the holiday shopping. Word out of the North Pole is that Santa has a new tool to check who's been naughty or nice this year .There have already been more than a few articles floating around with 2014 predictions for cyberthreats and many of them, including this little diddy from GCN, tell a familiar yet slightly different tale. What most cybersecurity experts are saying, and I happen to agree with, is that the threat landscape heading into 2014 will be primarily made up of known targets but the attacks would feature new tactics. The interesting thing that the GCN article highlights?  2 new wrinkles in the threat landscape; Bring Your Own Cloud (BYOC) and wearable computers. Many of your employees currently use a variety of personal cloud services, whether through their PC or their mobile device, and will utilize these services with information from work. They aren't doing this with malicious intent but out of convenience and in many cases unknowingly circumventing organizational cybersecurity standards. In addition to BYOD and BYOC we are going to start running into the wearable computer issue sooner than later. Samsung has released Galaxy Gear this year, Google Glass is in beta and Microsoft is also working on it's own product as well. While this won't be a rush right away on the gen-one products, we will all see an influx of Star Trek like devices walking through the door as they become part of the larger tech market.On the Internet Storm Center site there are reports of Phishing attacks utilizing a fake Facebook site that distributes malware through some odd Tumblr redirects. Remember this old story? You get a message from a friend saying that a crime has been committed against someone on your friends list, and that there are pictures of the perpetrator on a Tumblr page. The hook is that they need your help in order to ID the bad guys. Once an individual clicks on the Tumblr link they are redirected to a fake Facebook log in screen, prompting them for their credentials, which are immediately compromised. I find this to be an interesting ploy given all the hysteria that was raised in the hours and days follow the Boston Marathon bombings where many members of the general public engaged in a crowd-sourced dragnet to help the authorities ID suspicious looking people. Needless to say, this has caught some attention and has been an effective tactic. On another note a new tool for attackers is to auto-register Tumblr accounts by circumventing some of the defenses Tumblr has in place when a user registers an account. This gives the attackers the ability to use similar tactics among multiple social networks.Now, one can go Phishing without using Worms but for those sophisticated attackers there is a huge marketplace for them to acquire some of the rarest worms that are available, for the right price. Nextgov had a nice piece highlighting a report from NSS Labs on the "black market" for cyber arms where an average of 85 exploits are being sold per day. Using some simple math that equates to 31,025 exploits a year being sold through these boutique shops. Their customer lists range from governments, intelligence agencies, the mafia, and many cyberterrorist organizations with pricing models that include pay-per-exploit options to a site offering 25 exploits a year for a $2.5 million lump sum payment.The moral of this week's story? Rapid7 has decided to take a proactive approach heading into 2014. In January and February we are hitting the road and holding a half day seminar, "Security at the Crossroads." This event will be led by various industry leaders and will help you better understand attackers, address the threats among various assets, monitor your security posture, and to help develop strategies that IT and executive teams can support. Click here to read more about it and find a location near you.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now