WCry 2.0 (WannaCry, WanaCrypt0r) Ransomware Update

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 (also called WannaCry, WanaCrypt0r, and WannaCrypt) began to infect organizations across the world. Within several hours, over 75,000 victims were reported in 90+ countries, including hospitals in the UK, telcos in Spain and the Russian ministry, to name a few.

Initial analysis of the ransomware appears to show it spreading via MS17-010, a critical SMB vulnerability in the Microsoft Windows operating system that was recently disclosed as a part of the Shadow Brokers dump of NSA hacking tools. It is believed though, that the ransomware is first delivered via emails with a zip attachment.

As WatchGuard’s CTO, Corey Nachreiner details in this Daily Security Byte, implementing a layered approach to security is vital to stopping threats like this.

• WatchGuard’s Gateway AntiVirus (GAV) does catch many variants of this new ransomware.
• More importantly, our APT Blocker’s behavioral detection can catch all seen strains of WCry. APT Blocker’s sandbox-based detection will continue to detect and block future variants.
• Finally, our Intrusion Prevention Service (IPS) can catch the NSA leaked vulnerability — the MS17-010 vulnerability (signatures: 1133635, 1133636, 1133637, 1133638) — that this ransomworm uses to spread internally.

IT administrators should install the latest Windows security updates to resolve the MS127-010 vulnerability. Additionally, WatchGuard customers should enable Gateway AntiVirus, APT Blocker, and IPS to stop the ransomware at their network perimeter.

Tips for ransomware targets/victims:

• Patch as quickly as possible, so that you’re always up to date with the latest software.
• Recognize that leveraging outdated systems and software that are no longer supported by the manufacturer poses a serious security threat since you can’t fix vulnerabilities. Some organizations are unable to replace or update legacy systems, but if you can’t get rid of it, realize you’ll have to do more to protect it. Also, despite being end-of-life, patches are available for Windows XP and Server 2003.

If you’ve fallen victim to WCry 2.0:

• First, remove infected computers from your network as quickly as possible. This attack seems to leverage a Windows networking vulnerability to spread to many computers in a network. It is unclear if that capability is built directly into the ransomware itself, or if its built into an accompanying spreader file. In any case, you want to separate compromised computers from the rest of your network to avoid further infection.
• Second, keep your encrypted files for a few weeks. If you don’t have backups, there is still a very small chance you can get your files back. A lot of modern ransomware uses solid encryption ciphers that the industry can’t break. However, there are still plenty of malware authors that mess up. At least one researcher has tweeted that Wcry 2.0 might have done its encryption in a way that researchers might be able to crack. Don’t bank on this, but keep your encrypted files around just in case a researcher does figure out a way to recover them.

Additional WatchGuard Info:

• https://www.secplicity.org/2017/05/14/wcry-2-0-potential-ransomworm-daily-security-byte/
• http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000Ks7SAE&lang=en_US
• Total Security Suite: https://www.watchguard.com/wgrd-resource-center/how-to-buy
• Daily Security Byte, WCry 2.0: Potential Ransomworm: https://www.youtube.com/watch?v=-q5msulQDrg

For more information, see:

• https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/
• https://blog.malwarebytes.com/cybercrime/2017/05/wanacrypt0r-ransomware-hits-it-big-just-before-the-weekend/
• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• https://docs.microsoft.com/en-us/msrc/customer-guidance-for-wannacrypt-attacks