Massive Campaign Ransomware / Wannacry

wannacry

Yesterday, 12 May 2017, a massive campaign of Ransomware / Wannacry has been identified world wide.

Malware has been distributed in particular in Europe and Asia.

Firsts data revealed that the malware has been distributed in 74 countries, but after few hours some Antivirus vendor have identified the threat in at least 99 countries.

 

Wannacry is part of Ransomware macro-family, threats able to crypt users’s and organizations’ victim data and ask a ransom in BTC (bitcoin) for decrypting them.

 

Malware is able to crypt these following file types:

  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  • Less common and nation-specific office formats (.sxw, .odt, .hwp).
  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  • Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  • Virtual machine files (.vmx, .vmdk, .vdi).

 

Wannacry has been developed to infect users that use these languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

 

Probably the attack vector used from attackers to distribute malware is e-mail.

Threat is critical because malware exploits an SMB v1 vulnerability to spread over internal network, throught exploit published by “ShadowBroker” during toolkit NSA leakage: the exploit name is “EternalBlue”.

Microsoft patched vulnerability in March 2017 on Microsoft Windows systems thanks to security bulletin MS17-010.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

You can defend you internal infrastructure using these countermeasures:

  • (Recommended)

Install patch released in Microsoft security bulletin of March MS17-010https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

  • (Alternative)

Disable SMB v1 protocol: protocol SMB version 1 is old and not secure. If it’s possible, disable it. 

 

Main Vendor Antivirus, for example:

  • Symantec
  • Kaspersky
  • McAfee
  • Sophos
  • Trend Micro

from yesterday are able to detectidentify and block threat. The recommendation is to verify the antivirus signature update on Client and Server.

The Next Generation Antivirus, SentinelOne, thanks to its engine for dynamic threat analysis, is already able to protect Endpoints without updating signatures.

https://sentinelone.com/blogs/wanacrypt0r-wreaks-havoc-worldwide/ 

 

Following Ransomware / Wannacry IoC:

IOC Type

Value

Domain

57g7spgrzlojinas.onion

Domain

76jdd2ir2embyv47.onion

Domain

cwwnhwhlz52maqm7.onion

Domain

gx7ekbenv2riucmf.onion

Domain

sqjolphimrr7jqw6.onion

Domain

xxlvbrloxvriy2c5.onion

Domain

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

FileHash-MD5

05a00c320754934782ec5dec1d5c0476

FileHash-MD5

26b205ffe4adaadbb442442cae653bdd

FileHash-MD5

29365f675b69ffa0ec17ad00649ce026

FileHash-MD5

46d140a0eb13582852b5f778bb20cf0e

FileHash-MD5

4fef5e34143e646dbf9907c4374276f5

FileHash-MD5

509c41ec97bb81b0567b059aa2f50fe8

FileHash-MD5

5ad5075d8d66cd7c05899d8044fdab65

FileHash-MD5

5bef35496fcbdbe841c82f4d1ab8b7c2

FileHash-MD5

775a0631fb8229b2aa3d7621427085ad

FileHash-MD5

7bf2b57f2a205768755c07f238fb32cc

FileHash-MD5

7f7ccaa16fb15eb1c7399d422f8363e8

FileHash-MD5

835fff032c51075c0c27946f6ebd64a3

FileHash-MD5

83e5a812a371e0790066c6fb038f0d26

FileHash-MD5

8495400f199ac77853c53b5a3f278f3e

FileHash-MD5

84c82835a5d21bbcf75a61706d8ab549

FileHash-MD5

86721e64ffbd69aa6944b9672bcabb6d

FileHash-MD5

8dd63adb68ef053e044a5a2f46e0d2cd

FileHash-MD5

b0ad5902366f860f85b892867e5b1e87

FileHash-MD5

d6114ba5f10ad67a4131ab72531f02da

FileHash-MD5

db349b97c37d22f5ea1d1841e3c89eb4

FileHash-MD5

e372d07207b4da75b3434584cd9f3450

FileHash-MD5

f107a717f76f4f910ae9cb4dc5290594

FileHash-MD5

f529f4556a5126bba499c26d67892240

FileHash-MD5

f9992dfb56a9c6c20eb727e6a26b0172

FileHash-MD5

f9cee5e75b7f1298aece9145ea80a1d2

FileHash-SHA1

45356a9dd616ed7161a3b9192e2f318d0ab5ad10

FileHash-SHA1

51e4307093f8ca8854359c0ac882ddca427a813c

FileHash-SHA1

87420a2791d18dad3f18be436045280a4cc16fc4

FileHash-SHA1

bd44d0ab543bf814d93b719c24e90d8dd7111234

FileHash-SHA1

e889544aff85ffaf8b0d0da705105dee7c97fe26

FileHash-SHA256

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

FileHash-SHA256

149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff

FileHash-SHA256

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

FileHash-SHA256

2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

FileHash-SHA256

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

FileHash-SHA256

4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982

FileHash-SHA256

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

FileHash-SHA256

593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af

FileHash-SHA256

6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7

FileHash-SHA256

7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545

FileHash-SHA256

a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b

FileHash-SHA256

b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7

FileHash-SHA256

b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c

FileHash-SHA256

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

FileHash-SHA256

c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

FileHash-SHA256

c73633e55a1d66af88a3dc2d46e7d47e0a47ce0bab0930a70b97b003adafc9af

FileHash-SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

FileHash-SHA256

f5cbff5c100866dd744dcbb68ee65e711f86c257dfcc41790a8f63759220881e

FileHash-SHA256

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

 

As Network & Security Company, Sorint.SEC is able to offer information security services in order to guarantee an advanced protection to different and complex infrastructures.

In particular Sorint.SEC offers Managed Next Generation EndPoint Protection services in order to increase company protection against advanced threats direct to EndPoints.

More information about managed protection, offered by Sorint.SEC, are available to following links:

https://sec.sorint.it/en/managedendpointprotection

https://sec.sorint.it/en/soc

Share on facebook
Share on twitter
Share on linkedin