One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 364924 |
| Date de publication | 2017-05-15 05:21:19 (vue: 2017-05-15 05:21:19) |
| Titre | WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th) |
| Texte | The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow]. A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released for Windows Vista, Windows Server 2008 and later versions of Windows as part of MS17-010 in March [MS17-010]. In response to the rapid spread of WannaCry, on Friday Microsoft released a patch for older versions of Windows, going back to Windows XP and Windows Server 2003 [msft]. At the time of the initial WannaCry outbreak, we also noticed a significant increase in scanning for port 445 [port445]. The increase was likely caused by infected systems scanning for more victims. It is not clear how the infection started. There are some reports of e-mails that include the malware as attachment seeding infected networks. But at this point, no actual samples have been made public. It is possible that the worm entered acorporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself does have no e-mail component. The malware will first check if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It will also check if a registry key is present. It will not run if either the registry key is present or the website is reachable. The domain has been registered and a web server has been set up by a security researcher. This significantly reduced the impact of WannaCry. A tool was released that will assist in setting the registry keys, which will also reduce the risk of infection. Over the weekends, reports indicated that new versions of the worm were spreading that used slightly different kill switches. But all current versions check a website and check for registry keys. The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the users private key needs to be decrypted, which requires the malware authors private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password WNcry@2ol7 is not used to encrypt files. It is only used by the malware to decrypt some of its components. [endgame] Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week. In addition to encrypting files, the malware also installs a DOUBLEPULSAR back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author. New variants have been reported over the weekend with slight changes to the kill switch domain and registry keys. We expect to reduce the Infocon back to green on Monday. What Can You do to prevent Infection? Apply MS17010 to Windows Vista and later (Windows Server 2008 and later) Apply Fridays patch to Windows XP or Window Server 2003. Verify correct patch application Make sure the kill switch domain is reachable from your network without proxy. If not, setup an internal DNS sinkhole Deploy the registry key inoculation [terstopper] Disable SMBv1 Make sure systems are running up to date anti-malware Indicators of Compromise: https://www.us-cert.gov/ncas/alerts/TA17-132A PowerPoint fo |
| Notes | |
| Envoyé | Oui |
| Condensat | $300 $600 010 105160 132a 150 15th 2003 2008 2012 2048 445 about acorporate actual addition aes after ago all also analysis anti application apply archive are asked aspx assist attachment attack attacks attribution author authors back backdoor became been bit but can caused center cert changes check clear com com/2017/5/14/15637888/authorities com/aaw2rfb6 com/blog/wcrywanacry com/en com/misterch0c/shadowbroker com/msrc/2017/05/12/customer commons communication component components compromise compromise: correct could countries creates creative current date days dean decrypt decrypted delete deploy details different disable dns does domain door doublepulsar each edu edu/port edu/presentations/wannacry either enable encrypt encrypted encrypting endgame entered eternalblue expect exploit exposed extension facilitate file files first friday fridayand fridays from further generate generated going gov/ncas/alerts/ta17 green guidance hacking had has have hosts how html http://www https://blogs https://github https://isc https://pastebin https://support https://technet https://www impact include included increase indicated indicators infected infection infocon initial inoculation install installs institute internal internet its itself iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea johannes key keys kill large later license likely made mail mails make malware management many march may microsoft mon monday month more ms17 ms17010 msft needed needs network networks new noncommercial not noticed nsa older only org/webcasts/special organizations other outbreak over pair part password pastebin patch patched pay point port port445 port=445 possible powerpoint ppt present presentations prevent prior private proxy public published quickly random ransomeware ransomware rapid reach reachable reduce reduced references: registered registry release released reported reports requires research researcher response risk rsa run running sample samples sans scanning security seeding server set setting setup shadow shadowbroker significant significantly sinkhole slight slightly smbv1 smbv2 smbv3 some specific spread spreading started states sti|twitter| storm summary sure switch switches system systems tearstopper technet technical technology terstopper then these theverge threat threatens through time tool tools tor tuesday ullrich united unlike us/help/2696547/how us/library/security/ms17 use used user users using variants verge verify versions very victims vista vulnerability vulnerable wannacry wannacry/wannacrypt wannacrypt web webcast website week weekend weekends what when which will window windows without wncry wncry@2ol7 worldwide worm your |
| Tags | |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.