News
Report on WANNACRY Ransomware
5/15/2017

What do we know about the ransomware so far:

The Ransomware is spreading through Phishing Emails sent to users with a malicious attachment that will infect the user machine once opened.
The Ransomware consists of two components: a worm and a ransomware package.
After infecting a user machine, it exploits a vulnerability known as "MS17-010" to infect other machines on the same network in order to spread and infect much more computers/file-share servers using “EternalBlue” exploit and DOUBLEPULSAR backdoor. 
The patching of vulnerability doesn’t really prevent the ransomware component from working.
Once infected, it will encrypt all the files located on the computer asking you to pay $300-     600$ Bitcoin ransom to be able to recover your files.
Files encrypted with extensions “.wncry”
Mirai botnet tries to do denial of service “DOS” attack to take down the sinkholed server.
The malware has a kill switch that exits if this domain is up. A new variant of wannacry without a killer switch appeared 14/5/2107.
The malware drops and uses Tor services related files to access the Tor network.
Affected systems: All windows versions.
100 countries are infected; countries such as Germany, Russia, Spain, Switzerland, United Kingdom, and USA are the most infected countries.
At least 16 hospitals in the United Kingdom are being forced to divert emergency patients because of the ransomware.
Until publishing this report, around 230,000 computers were infected worldwide.
How to safeguard your Infrastructure against this wide spreading attack:

Do not open any emails/files from unknown source.
Always backup all your important data to an external device so you can recover it at anytime. Ensure backup is valid to restore.
Make sure that all your hosts are having security solutions with latest updates.
Apply MS17-010 Patch from Microsoft which will safeguard your servers/PC's from the   exploited vulnerability. We do recommend that you apply all the latest patches released by Microsoft till today.
Scan e-mails sent or received to detect threats and malicious files.
Microsoft released an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday’s WannaCry ransomware outbreak.
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
If you have any of your servers exposed to the internet, make sure it has port 445 and 139 blocked on the Firewall for any inbound access to those ports.
The malware uses TOR for command and control. The list of .onion domains inside is as following:
1. gx7ekbenv2riucmf.onion
2. 57g7spgrzlojinas.onion
3. Xxlvbrloxvriy2c5.onion
4. 76jdd2ir2embyv47.onion
5. cwwnhwhlz52maqm7.onion
6. sqjolphimrr7jqw6.onion  

Kill Switch domain:
Hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
Hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Note for all network artifacts:
We recommend that you MONITOR your SIEM for all your Proxy logs, DNS Logs and rest of other logs to check if any of your machines had a communication with that IP address.
Apply the least privilege rules on your systems
Use effective spam filters to prevent phishing e-mails and enable e-mail validation systems   using technologies like Sender Policy Framework (SPF) to detect e-mail spoofing. 
Prepare and Implement Incident Handling plan and disaster recovery plan.
The below links contains of all known Hashes associated with the ransomware, we recommend that you check all your systems against those hashes:
https://gist.github.com/Blevene/42bed05ecb51c1ca0edf846c0153974a
Users can also disable SMBv1 to protect their systems from this exploit.
Use network segmentation, with proper network filtering, and implement strict ACLs and don’t connect to any internal resource available via SMB.
User can run regular penetration testing to their network and systems to detect vulnerabilities before attackers.
Update security devices and softwares like (IPS,IDS,firewalls)
Scan systems for indicators of compromise using Yara rule.

In case of Infection , please contact EG-CERT at the following e-mail:incident@egcert.eg