WannaCry Ransomware Utilizing NSA Exploits

Update 5/12/17 19:30 CST: ‘Accidental hero‘ (kudos @MalwareTechBlog) finds kill switch to stop spread of ransomware cyber-attack. – Even though the domain has been sinkholed stopping the spread of infections, new variants of wormable ransomware campaigns are only to be expected in the near future.

Update 5/13/17 10:30 CST: Microsoft releases emergency patches for previously unsupported systems (XP/8/2003). Download here.

[.] WannaCry😭

Early morning, Friday May 12th, ransomware by the name of Wcry/WanaCrypt0r/WannaCry/WanaCypt0r/Wanacryptor started spreading viciously through Europe.  According to the Chief Security Expert at Kaspersky Lab there is a “worldwide ransomware outbreak.”  WannaCry ransomware is using EternalBlue exploit that was released most recently by the ShadowBrokers. EternalBlue is a  remote code execution attack which takes advantage of SMB v1 protocol.  The vulnerability has been patched by the release of MS17-010, March 14th. However, all versions of Windows are vulnerable. WannaCry checks for DOUBLEPULSAR, and it uses it to load its payload. Last month’s DOUBLEPULSAR scans should have been a warning sign for companies to patch their systems, and check their firewalls. With such a critical vulnerability, a wormable payload was inevitable. Within less than two hours, there were over 11 countries infected, and by the time of writing this post it has spread though over 74 countries demanding $300-$600 in Bitcoin.

 

Malwaretech
Source: Malwaretech
Kaspersky Labs
Source: Kaspersky Labs

 

[.] WannaCry Bitcoin Addresses:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

[.] Confirmed Tor C&C’s (rain-1):

  • gx7ekbenv2riucmf[.]onion
  • 57g7spgrzlojinas[.]onion
  • xxlvbrloxvriy2c5[.]onion
  • 76jdd2ir2embyv47[.]onion
  • cwwnhwhlz52maqm7[.]onion

[.] Targeted File Types:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

[.] What to do to avoid getting infected?

  • Apply MS17-010 patches ASAP!
  • Ensure all critical systems are fully backed up
  • Check firewall ports 445/137-139 and 3389, Block inbound
  • Disable SMB v1
  • Network Segmentation
  • Disable Microsoft Office Macros

[.] Kill-Switch Domains – DO NOT Block!

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com
  • lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea[.]com