WannaCrypt (also known as WanaCrypt0r 2.0, WanaCry or Wcry) is an encryption-based ransomware attack, that started spreading globally on May 12th.
The malware encrypts files on affected systems using AES and RSA encryption ciphers, meaning hackers can decrypt system files using a unique decryption key.
WannaCrypt changes the computer's wallpaper with messages, asking the victim to download the decryptor from Dropbox and demanding hundreds in bitcoin to get their files back.
Attack vector
WannaCrypt uses multiple attack vectors:
- The primary attack vector is distribution via e-mail. WannaCrypt uses social engineering or phishing techniques, relying on users to open and execute a malicious payload embedded within the e-mail. When opened by the user, the malware will install itself and start encrypting files immediately.
- WannaCrypt will then try to spread within the network or over the internet, using exploit code for vulnerability CVE-2017-0145, which allows remote attackers to execute arbitrary code via crafted packets to an SMBv1 server, aka "Windows SMB Remote Code Execution Vulnerability". This vulnerability is only present in the SMB v1.0 protocol. Microsoft released a patch in March: Microsoft Security Bulletin MS17-010. For more information about this update, see Microsoft Knowledge Base Article 4013389.
- All windows versions from Windows XP to Server 2016 are affected; all of these systems have SMBv1 enabled by default. Windows 10 is not affected. On May 13th, Microsoft released an emergency security patch for unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.
How to protect against WannaCrypt and other ransomware?
- Keep your system Up-to-date: Shavlik Protect, Shavlik OEM (SDK) and Ivanti Patch for Windows Server, Update the XML to 2.0.2.2723 and deploy MS17-010 and ensure that the most recent bundles have been deployed. This was originally plugged in the March Patch Tuesday release so the following bulletins will resolve the vulnerability.
- Content release 06/13/2017:
Updated MS17-010(Q4012598): Added patches for Windows 8, Windows XP and Windows Server 2003, Windows Vista, Windows Server 2008
- If you are using Monthly Rollups - June 2017 Patch Tuesday
- MS17-06-MR7(Q4019264): Monthly Rollup for Windows 7 and 2008 R2: June 13, 2017
- MS17-06-MR8(Q4019216): Monthly Rollup for Server 2012: June 13, 2017
- MS17-06-MR81(Q4019215): Monthly Rollup for Windows 8.1 and 2012 R2: June 13, 2017
- MS17-06-2K8(Q4018466): Security update for the Windows SMB Information Disclosure Vulnerability in Windows Server 2008: June 13, 2017
- If you are using Security Only Updates or Bundles - March 2017 Patch Tuesday
- Windows 7 and Server 2008 R2: SB17-002[MS17-010](Q4012212): March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
- Windows 8.1 and Server 2012 R2: SB17-003[MS17-010](Q4012213): March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
- Windows Server 2012: SB17-004[MS17-010](Q4012214): March 2017 Security Only Quality Update for Windows Server 2012
- Any of the Security Monthly Quality Rollup for the above Operating Systems from June 2017 and later will also remediate this as is shown below.
Video demonstrating how to patch and report on the Wannacrypt vulnerabitity in Ivanti Patch for Windows Servers (Shavlik Protect). This also works for the Petya vulnerability patches.
If you encounter an error for decrypting your credentials or with the Shavlik Protect Console service stopping after updating to the latest content data, the workaround is to install .Net Framework 4.6.2 on the Protect console server. For customer who cannot install .Net Framework 4.6.2, we are working on a fix that doesn't require this. No ETA on this.
- Beware of phishing: never open e-mail attachments from an untrusted sender or click on links within e-mails or documents without checking the source. Ivanti Anti-Virus can also scan incoming e-mail.
- Regularly backup user data: create copies of all user data at regular times to prevent data loss, should a ransomware attack occur.
- Enable Windows firewall: limit the spreading of ransomware within the corporate network by correctly configuring firewalls. Block access to SMB ports over the network and/or the Internet. The protocol operates on TCP ports 137, 139 and 445 and over UDP ports 137 and 138.
- Block legacy protocols such as SMB v1: See the following article on how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Note: Windows XP only supported SMB v1).
- Audit installed software and keep it up to date: malware often uses flaws in outdated software. Keep all installed software up to date, not only on end nodes but also in the data centre. Patch Manager will also detect vulnerabilities in many third-party software, other than the operating system.
- Ivanti free 90 day offer: When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs. Register for Ransomware Get Well Quick trial.
Indicators of compromise
WannaCrypt creates the following registry keys:
- HKLM\SOFTWARE\WanaCrypt0r\wd = "<malware working directory>"
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random string> = "<malware working directory>\tasksche.exe"
It will display a ransom message on the desktop wallpaper, by changing the following registry key:
- HKCU\Control Panel\Desktop\Wallpaper: "<malware working directory>\@WanaDecryptor@.bmp"
Files created in the malware's working directory:
- %SystemRoot%\mssecsvc.exe
- %SystemRoot%\tasksche.exe
- %SystemRoot%\qeriuwjhrf
- b.wnry
- c.wnry
- f.wnry
- r.wnry
- s.wnry
- t.wnry
- u.wnry
- taskdl.exe
- taskse.exe
- 00000000.eky
- 00000000.res
- 00000000.pky
- @WanaDecryptor@.exe
- @Please_Read_Me@.txt
- m.vbs
- @WanaDecryptor@.exe.lnk
- @WanaDecryptor@.bmp
- 274901494632976.bat
- taskdl.exe
- Taskse.exe
- Files with “.wnry” extension
- Files with “.WNCRY” extension
What if I'm compromised?
Once ransomware has encrypted files, there is not much you can do. Sometimes, ransomware has been badly written and it has been possible - by reverse engineering their code - to find a way to decrypt the data.
This does not seem to apply to WannaCrypt and we are unaware of a way to recover encrypted data at this time.
One might ask if paying the ransom will really decrypt the files. Sometimes it will, but there is no guarantee.
When Cryptolocker hit a few years ago, some users reported that they did get their data back after paying the ransom.
More information: Webinars
Live Updates on the Ransomware Attack from Our CISO, Director of Security and Chief Technologist
May 15, 2017 - 9:00 PDT | 12:00 EDT | 17:00 BST | 18:00 CEST
Ivanti Webinar Series
Ransomware Update: New Threats, New Defenses
September 14, 2016
Stephen Brown, Director of Product Management, Ivanti
Passive Protection Against Ransomware
June 01, 2016
Eran Livne, Principal Product Manager, Ivanti
Statement regarding Ivanti's Own Environment
To date, Ivanti has not detected the WannaCrypt malware in our environment.
In advance of the threat, we took the following proactive steps to fortify our environment against these types of threats:
- We verified that our AV is installed, up to date, and active on client devices and servers, both internal and cloud / customer-facing.
- We verified that appropriate patches from Microsoft and third parties are installed and correctly configured in a timely manner.
- Where appropriate, we use Application Control for whitelisting, privilege management, and system monitoring.
- We constantly educate our employees on the risks of phishing, monitoring our incoming emails.
- We leverage third-party tools to actively monitor email for ransomware and other malicious URLs.
- We leverage third-party tools to monitor infestation and proliferation of malware in our internal and customer-facing IT environments.
Since this threat emerged, we have taken the following additional steps:
- We have educated our staff about this particular threat and reinforced the importance of not opening files or clicking on links from unknown sources.
- We have verified that our network infrastructure does not block access to the kill switch URL.
- We have audited our environment against all the above measures.
Ivanti free 90 day offer
When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs. Register for Ransomware Get Well Quick trial.
Bookmark this page, we will add updates as they become available. Our patch content teams are currently working to include the emergency security patches in our patch content.
