Sending shockwaves through the world, WannaCry has been spreading inside corporate networks over the last couple of days. WannaCry seems to be a variation of the EternalBlue exploit which was stolen from the NSA. It exploits a vulnerability in version 1 of Microsoft’s SMB protocol (protocol used in Windows for interprocess communication), which allows an attacker to execute arbitrary code on the target machine by sending special packets that SMBv1 fails to handle.
In classic ransomware fashion, WannaCry encrypts all files into .wncry files (which is how it got it’s name) and asks the victim to pay a ransom via Bitcoin.
Once the victim pays the ransom, they have to contact the attackers to confirm the payment and to request the decryption key. At this point we don’t know if the attackers are honouring this, but based on the activity in the bitcoin wallets, hundreds of victims have already payed the fee.
When the malware runs, it tries to connect to some kill switch domains. If the connection succeeds, it doesn’t run. So it only encrypts the files and continues to spread if the connection fails. One problem is that it isn’t proxy-aware, so if a corporate network forces outbound connections to go through a proxy, the connection will fail and the malware will always run 😨. So one thing that can help stop this is to run an internal DNS sinkhole that points the kill switch domains to an internal web server. The danger now is that other variants of WannaCry are starting to appear, with slight modifications to the kill switch, like different domains or using registry checks instead.
So remember, always patch your systems. If you can’t, turn off SMBv1 on vulnerable systems while you work on updating your systems.
UPDATE:
It has now been over a week since WannaCry started doing damage and things have gotten better.
The domain names the malware tries to connect to have been registered, which has helped curb the spread, but unfortunately they’re currently under consistent DDOS.
Some decryption tools have been released to help recover encrypted files. Turns out that the random seeds that create the private key are left in memory, so it is possible to recover them. Of course if your machine was reset / shutdown, or the memory was reallocated / erased by a seperate process, you’re out of luck, but nonetheless there should be some hope for many of the victims.