u.wnry<\/em><\/li>\n<\/ul>\nWannaCrypt may also create the following files:<\/p>\n
\n- %SystemRoot%\\tasksche.exe<\/em><\/li>\n
- %SystemDrive%\\intel\\<random directory name>\\tasksche.exe<\/em><\/li>\n
- %ProgramData%\\<random directory name>\\tasksche.exe<\/em><\/li>\n<\/ul>\n
It may create a randomly named service that has the following associated ImagePath: “cmd.exe \/c “<malware working directory>\\tasksche.exe””<\/em>.<\/p>\nIt then searches the whole computer for any file with any of the following file name extensions: .123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.<\/em><\/p>\nWannaCrypt encrypts all files it finds and renames them by appending .WNCRY<\/em> to the file name. For example, if a file is named picture.jpg<\/em>, the ransomware encrypts and renames the file to picture.jpg.WNCRY<\/em>.<\/p>\nThis ransomware also creates the file @Please_Read_Me@.txt<\/em> in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).<\/p>\nAfter completing the encryption process, the malware deletes the volume shadow copies by running the following command:<\/p>\n
cmd.exe \/c vssadmin delete shadows \/all \/quiet & wmic shadowcopy delete & bcdedit \/set {default} bootstatuspolicy ignoreallfailures & bcdedit \/set {default} recoveryenabled no & wbadmin delete catalog -quiet<\/em><\/p>\nIt then replaces the desktop background image with the following message:<\/p>\n
It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:<\/p>\n
The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.<\/p>\n
The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.<\/p>\n
Spreading capability<\/h2>\n
The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel.<\/p>\n
The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.<\/p>\n
When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.<\/p>\n
Protection against the WannaCrypt attack<\/h2>\n
To get the latest protection from Microsoft, upgrade to Windows 10<\/a>. Keeping your computers up-to-date<\/a> gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.<\/p>\nWe recommend customers that have not yet installed the security update MS17-010<\/a> do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:<\/p>\n\n- Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547<\/a> and as recommended previously<\/a><\/li>\n
- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445<\/li>\n<\/ul>\n
Windows Defender Antivirus<\/a> detects this threat as Ransom:Win32\/WannaCrypt<\/a> as of the 1.243.297.0<\/em> update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.<\/p>\nFor enterprises, use Device Guard<\/a> to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.<\/p>\nUse Office 365 Advanced Threat Protection<\/a>, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.<\/p>\nMonitor networks with Windows Defender Advanced Threat Protection<\/a>, which alerts security operations teams about suspicious activities.<\/p>\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial<\/a><\/strong>.<\/p>\nResources<\/h2>\n
Download English language security updates: Windows Server 2003 SP2 x64<\/span><\/a>, Windows Server 2003 SP2 x86,<\/span><\/a> Windows XP SP2 x64<\/span><\/a>, Windows XP SP3 x86<\/span><\/a>, Windows XP Embedded SP3 x86<\/span><\/a>, Windows 8 x86,<\/span><\/a> Windows 8 x64<\/span><\/a><\/p>\nDownload localized language security updates: Windows Server 2003 SP2 x64<\/span><\/a>, Windows Server 2003 SP2 x86<\/span><\/a>, Windows XP SP2 x64<\/span><\/a>, Windows XP SP3 x86<\/span><\/a>, Windows XP Embedded SP3 x86<\/span><\/a>, Windows 8 x86<\/span><\/a>, Windows 8 x64<\/span><\/a><\/p>\nMS17-010 Security Update: https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx<\/a><\/p>\nCustomer guidance for WannaCrypt attacks: https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/05\/12\/customer-guidance-for-wannacrypt-attacks\/<\/a><\/p>\nGeneral information on ransomware: https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/shared\/ransomware.aspx<\/a><\/p>\nNext-generation ransomware protection with Windows 10 Creators Update: https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/08\/windows-10-creators-update-hardens-security-with-next-gen-defense\/<\/a><\/p>\nIndicators of compromise<\/h2>\n
SHA1 of samples analyzed:<\/p>\n
\n- 51e4307093f8ca8854359c0ac882ddca427a813c<\/li>\n
- e889544aff85ffaf8b0d0da705105dee7c97fe26<\/li>\n<\/ul>\n
Files created:<\/p>\n
\n- %SystemRoot%\\mssecsvc.exe<\/li>\n
- %SystemRoot%\\tasksche.exe<\/li>\n
- %SystemRoot%\\qeriuwjhrf<\/li>\n
- b.wnry<\/li>\n
- c.wnry<\/li>\n
- f.wnry<\/li>\n
- r.wnry<\/li>\n
- s.wnry<\/li>\n
- t.wnry<\/li>\n
- u.wnry<\/li>\n
- taskdl.exe<\/li>\n
- taskse.exe<\/li>\n
- 00000000.eky<\/li>\n
- 00000000.res<\/li>\n
- 00000000.pky<\/li>\n
- @WanaDecryptor@.exe<\/li>\n
- @Please_Read_Me@.txt<\/li>\n
- m.vbs<\/li>\n
- @WanaDecryptor@.exe.lnk<\/li>\n
- @WanaDecryptor@.bmp<\/li>\n
- 274901494632976.bat<\/li>\n
- taskdl.exe<\/li>\n
- Taskse.exe<\/li>\n
- Files with “.wnry” extension<\/li>\n
- Files with “.WNCRY” extension<\/li>\n<\/ul>\n
Registry keys created:<\/p>\n