What do we know about the ransomware so far:
• The Ransomware is spreading through Phishing Emails sent to users with a malicious attachment that will infect the user machine once opened.
• The Ransomware consists of two components: a worm and a ransomware package.
• After infecting a user machine, it exploits a vulnerability known as "MS17-010" to infect other machines on the same network in order to spread and infect much more computers/file-share servers using “EternalBlue” exploit and DOUBLEPULSAR backdoor.
• The patching of vulnerability doesn’t really prevent the ransomware component from working.
• Once infected, it will encrypt all the files located on the computer asking you to pay $300- 600$ Bitcoin ransom to be able to recover your files.
• Files encrypted with extensions “.wncry”
• Mirai botnet tries to do denial of service “DOS” attack to take down the sinkholed server.
• The malware has a kill switch that exits if this domain is up. A new variant of wannacry without a killer switch appeared 14/5/2107.
• The malware drops and uses Tor services related files to access the Tor network.
• Affected systems: All windows versions.
• 100 countries are infected; countries such as Germany, Russia, Spain, Switzerland, United Kingdom, and USA are the most infected countries.
• At least 16 hospitals in the United Kingdom are being forced to divert emergency patients because of the ransomware.
• Until publishing this report, around 230,000 computers were infected worldwide.
How to safeguard your Infrastructure against this wide spreading attack:
• Do not open any emails/files from unknown source.
• Always backup all your important data to an external device so you can recover it at anytime. Ensure backup is valid to restore.
• Make sure that all your hosts are having security solutions with latest updates.
• Apply MS17-010 Patch from Microsoft which will safeguard your servers/PC's from the exploited vulnerability. We do recommend that you apply all the latest patches released by Microsoft till today.
• Scan e-mails sent or received to detect threats and malicious files.
• Microsoft released an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday’s WannaCry ransomware outbreak.
• If you have any of your servers exposed to the internet, make sure it has port 445 and 139 blocked on the Firewall for any inbound access to those ports.
• The malware uses TOR for command and control. The list of .onion domains inside is as following:
• Kill Switch domain:
Note for all network artifacts:
• We recommend that you MONITOR your SIEM for all your Proxy logs, DNS Logs and rest of other logs to check if any of your machines had a communication with that IP address.
• Apply the least privilege rules on your systems
• Use effective spam filters to prevent phishing e-mails and enable e-mail validation systems using technologies like Sender Policy Framework (SPF) to detect e-mail spoofing.
• Prepare and Implement Incident Handling plan and disaster recovery plan.
• The below links contains of all known Hashes associated with the ransomware, we recommend that you check all your systems against those hashes:
• Users can also disable SMBv1 to protect their systems from this exploit.
• Use network segmentation, with proper network filtering, and implement strict ACLs and don’t connect to any internal resource available via SMB.
• User can run regular penetration testing to their network and systems to detect vulnerabilities before attackers.
• Update security devices and softwares like (IPS,IDS,firewalls)
• Scan systems for indicators of compromise using Yara rule.
In case of Infection , please contact EG-CERT at the following e-mail:email@example.com