Blog

on 2017-05-20 07:04:12

Ransomeware a type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomeware virus “Wannacry” plagues 100k computers across 99 countries and Russia the highest. 75k computers were targeted across 99 countries. This attack effects computer ant then demands Bitcoins in return. This attack started at 8AM, Friday, 12th May 2017. It quickly got escalated into massive global spreading. Wannacry attack was specially designed to hit on machines with WINDOWS XP and there were no updates since 3 years till now. Nearly 100 million computers run on WINDOWS XP i.e. 10% of all the Windows machines across the globe, mainly on cash machines, Government Departments (Hospitals). They spread mainly through spam e-mails or through internal networks. Thousands of computers infected in a Globe Wave of Cyber Attacks. Banks and police in Russia detected attacks on their computer systems, more in Portugal, Ukrane and Indonesia. The hacker group involved is the “SHADOW BROKERS”. It effected British Hospitals and Doctor surgeries. Previously a Ransomeware attack was gien $200 million in the first 3 months of 2016. Till date the Ransome amount collected by th Shadow Brokers is nearly $30 million. So G7 Finance Ministers are meeting in Italy to discuss combating cyber crime in Bari, from 11th to 13th May 2017. “The situation is like a Honda car of 1980’s left unlocked till date”. we-are-hiring-shutterstock   Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 etc --------- ---http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598. Apply following signatures/rules at IDS/IPS alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;) (http://docs.emergingthreats.net/bin/view/Main/2024218) alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;) alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;) Yara: rule wannacry_1 : ransom { meta: author = "Joshua Cannell" description = "WannaCry Ransomware strings" weight = 100 date = "2017-05-12" Strings: $s1 = "Ooops, your files have been encrypted!" wide ascii nocase $s2 = "Wanna Decryptor" wide ascii nocase $s3 = ".wcry" wide ascii nocase $s4 = "WANNACRY" wide ascii nocase $s5 = "WANACRY!" wide ascii nocase $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase Condition: any of them } rule wannacry_2{ meta: author = "Harold Ogden" description = "WannaCry Ransomware Strings" date = "2017-05-12" weight = 100 strings: $string1 = "msg/m_bulgarian.wnry" $string2 = "msg/m_chinese (simplified).wnry" $string3 = "msg/m_chinese (traditional).wnry" $string4 = "msg/m_croatian.wnry" $string5 = "msg/m_czech.wnry" $string6 = "msg/m_danish.wnry" $string7 = "msg/m_dutch.wnry" $string8 = "msg/m_english.wnry" $string9 = "msg/m_filipino.wnry" $string10 = "msg/m_finnish.wnry" $string11 = "msg/m_french.wnry" $string12 = "msg/m_german.wnry" $string13 = "msg/m_greek.wnry" $string14 = "msg/m_indonesian.wnry" $string15 = "msg/m_italian.wnry" $string16 = "msg/m_japanese.wnry" $string17 = "msg/m_korean.wnry" $string18 = "msg/m_latvian.wnry" $string19 = "msg/m_norwegian.wnry" $string20 = "msg/m_polish.wnry" $string21 = "msg/m_portuguese.wnry" $string22 = "msg/m_romanian.wnry" $string23 = "msg/m_russian.wnry" $string24 = "msg/m_slovak.wnry" $string25 = "msg/m_spanish.wnry" $string26 = "msg/m_swedish.wnry" $string27 = "msg/m_turkish.wnry" $string28 = "msg/m_vietnamese.wnry" condition: any of ($string*) } WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:

  • .lay6
  • .sqlite3
  • .sqlitedb
  • .accdb
  • .java
  • .class
  • .mpeg
  • .djvu
  • .tiff
  • .backup
  • .vmdk
  • .sldm
  • .sldx
  • .potm
  • .potx
  • .ppam
  • .ppsx
  • .ppsm
  • .pptm
  • .xltm
  • .xltx
  • .xlsb
  • .xlsm
  • .dotx
  • .dotm
  • .docm
  • .docb
  • .jpeg
  • .onetoc2
  • .vsdx
  • .pptx
  • .xlsx
  • .docx
The file extensions that the malware is targeting contain certain clusters of formats including:
  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  • Less common and nation-specific office formats (.sxw, .odt, .hwp).
  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  • Developers' sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  • Virtual machine files (.vmx, .vmdk, .vdi).
Indicators of compromise: Ransomware is writing itself into a random character folder in the 'ProgramData' folder with the file name of "tasksche.exe" or in 'C:\Windows\' folder with the file-name "mssecsvc.exe" and "tasksche.exe". Ransomware is granting full access to all files by using the command: Icacls . /grant Everyone:F /T /C /Q Using a batch script for operations: 176641494574290.bat hashes for WANNACRY ransomware: 5bef35496fcbdbe841c82f4d1ab8b7c2 775a0631fb8229b2aa3d7621427085ad 7bf2b57f2a205768755c07f238fb32cc 7f7ccaa16fb15eb1c7399d422f8363e8 8495400f199ac77853c53b5a3f278f3e 84c82835a5d21bbcf75a61706d8ab549 86721e64ffbd69aa6944b9672bcabb6d 8dd63adb68ef053e044a5a2f46e0d2cd b0ad5902366f860f85b892867e5b1e87 d6114ba5f10ad67a4131ab72531f02da db349b97c37d22f5ea1d1841e3c89eb4 e372d07207b4da75b3434584cd9f3450 f529f4556a5126bba499c26d67892240
  • use endpoint protection/antivirus solutions to detect these files and remove the same
  Network Connections The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:
  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion
Generic Prevention Tools: