Yesterday, 12 May 2017, a massive campaign of Ransomware / Wannacry has been identified world wide.
Malware has been distributed in particular in Europe and Asia.
Firsts data revealed that the malware has been distributed in 74 countries, but after few hours some Antivirus vendor have identified the threat in at least 99 countries.
Wannacry is part of Ransomware macro-family, threats able to crypt users’s and organizations’ victim data and ask a ransom in BTC (bitcoin) for decrypting them.
Malware is able to crypt these following file types:
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Less common and nation-specific office formats (.sxw, .odt, .hwp).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
Wannacry has been developed to infect users that use these languages:
Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese
Probably the attack vector used from attackers to distribute malware is e-mail.
Threat is critical because malware exploits an SMB v1 vulnerability to spread over internal network, throught exploit published by “ShadowBroker” during toolkit NSA leakage: the exploit name is “EternalBlue”.
Microsoft patched vulnerability in March 2017 on Microsoft Windows systems thanks to security bulletin MS17-010.
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
You can defend you internal infrastructure using these countermeasures:
- (Recommended)
Install patch released in Microsoft security bulletin of March MS17-010, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- (Alternative)
Disable SMB v1 protocol: protocol SMB version 1 is old and not secure. If it’s possible, disable it.
Main Vendor Antivirus, for example:
- Symantec
- Kaspersky
- McAfee
- Sophos
- Trend Micro
from yesterday are able to detect, identify and block threat. The recommendation is to verify the antivirus signature update on Client and Server.
The Next Generation Antivirus, SentinelOne, thanks to its engine for dynamic threat analysis, is already able to protect Endpoints without updating signatures.
https://sentinelone.com/blogs/wanacrypt0r-wreaks-havoc-worldwide/
Following Ransomware / Wannacry IoC:
IOC Type | Value |
Domain | 57g7spgrzlojinas.onion |
Domain | 76jdd2ir2embyv47.onion |
Domain | cwwnhwhlz52maqm7.onion |
Domain | gx7ekbenv2riucmf.onion |
Domain | sqjolphimrr7jqw6.onion |
Domain | xxlvbrloxvriy2c5.onion |
Domain | |
FileHash-MD5 | 05a00c320754934782ec5dec1d5c0476 |
FileHash-MD5 | 26b205ffe4adaadbb442442cae653bdd |
FileHash-MD5 | 29365f675b69ffa0ec17ad00649ce026 |
FileHash-MD5 | 46d140a0eb13582852b5f778bb20cf0e |
FileHash-MD5 | 4fef5e34143e646dbf9907c4374276f5 |
FileHash-MD5 | 509c41ec97bb81b0567b059aa2f50fe8 |
FileHash-MD5 | 5ad5075d8d66cd7c05899d8044fdab65 |
FileHash-MD5 | 5bef35496fcbdbe841c82f4d1ab8b7c2 |
FileHash-MD5 | 775a0631fb8229b2aa3d7621427085ad |
FileHash-MD5 | 7bf2b57f2a205768755c07f238fb32cc |
FileHash-MD5 | 7f7ccaa16fb15eb1c7399d422f8363e8 |
FileHash-MD5 | 835fff032c51075c0c27946f6ebd64a3 |
FileHash-MD5 | 83e5a812a371e0790066c6fb038f0d26 |
FileHash-MD5 | 8495400f199ac77853c53b5a3f278f3e |
FileHash-MD5 | 84c82835a5d21bbcf75a61706d8ab549 |
FileHash-MD5 | 86721e64ffbd69aa6944b9672bcabb6d |
FileHash-MD5 | 8dd63adb68ef053e044a5a2f46e0d2cd |
FileHash-MD5 | b0ad5902366f860f85b892867e5b1e87 |
FileHash-MD5 | d6114ba5f10ad67a4131ab72531f02da |
FileHash-MD5 | db349b97c37d22f5ea1d1841e3c89eb4 |
FileHash-MD5 | e372d07207b4da75b3434584cd9f3450 |
FileHash-MD5 | f107a717f76f4f910ae9cb4dc5290594 |
FileHash-MD5 | f529f4556a5126bba499c26d67892240 |
FileHash-MD5 | f9992dfb56a9c6c20eb727e6a26b0172 |
FileHash-MD5 | f9cee5e75b7f1298aece9145ea80a1d2 |
FileHash-SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
FileHash-SHA1 | 51e4307093f8ca8854359c0ac882ddca427a813c |
FileHash-SHA1 | 87420a2791d18dad3f18be436045280a4cc16fc4 |
FileHash-SHA1 | bd44d0ab543bf814d93b719c24e90d8dd7111234 |
FileHash-SHA1 | e889544aff85ffaf8b0d0da705105dee7c97fe26 |
FileHash-SHA256 | 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa |
FileHash-SHA256 | 149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff |
FileHash-SHA256 | 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c |
FileHash-SHA256 | 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd |
FileHash-SHA256 | 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d |
FileHash-SHA256 | 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982 |
FileHash-SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
FileHash-SHA256 | 593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af |
FileHash-SHA256 | 6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7 |
FileHash-SHA256 | 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545 |
FileHash-SHA256 | a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b |
FileHash-SHA256 | b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7 |
FileHash-SHA256 | b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c |
FileHash-SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
FileHash-SHA256 | c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9 |
FileHash-SHA256 | c73633e55a1d66af88a3dc2d46e7d47e0a47ce0bab0930a70b97b003adafc9af |
FileHash-SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
FileHash-SHA256 | f5cbff5c100866dd744dcbb68ee65e711f86c257dfcc41790a8f63759220881e |
FileHash-SHA256 | f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85 |
As Network & Security Company, Sorint.SEC is able to offer information security services in order to guarantee an advanced protection to different and complex infrastructures.
In particular Sorint.SEC offers Managed Next Generation EndPoint Protection services in order to increase company protection against advanced threats direct to EndPoints.
More information about managed protection, offered by Sorint.SEC, are available to following links:
You must be logged in to post a comment.