WannaCry ransomware outbreak

On Friday 13 May 2017, news broke in the mainstream media about a major outbreak of WannaCryptor ransomware affecting multiple countries around the world. F-Secure has been closely monitoring the situation and ensuring that thier products can handle the threat accordingly. This communiqué contains more information about WannaCryptor, how it affects users and steps that administrators can take to improve the security of machines under their care.

The WannaCry threat was reported affecting national hospitals, telecommunications companies, public transportation facilities and other public services and was variously known as WannaCryptor, WannaCry, WannaCrypt and WCry.

About 300 000 computers were affected worldwide by the attack with demands for $300 ransom money to be paid within 48 hours, after which the price doubled to $600 and failing paying this the encryption key would be deleted. Approximately US$80 000 was paid as ransom in Bitcoin to the attackers by Friday 19 May, the deadline given by the attackers for payments to be made before the encryption keys were purportedly deleted. Statistics from F-Secure Labs’ telemetry data indicate that only a small handful of the F-Secure product users globally have reported encounters with this threat, which were successfully identified and blocked. The impact of having even one machine infected with WannaCryptor can be significant for an affected organization.

About WannaCryptor
WannaCryptor is ransomware – a malicious program that’s used to extort money from an affected user or organization. WannaCryptor does this by encrypting all files on a vulnerable machine so that the user is unable to access them and then demanding payment for a decryption key to restore the files to normal. As with all such ransomware (also known as crypto-ransomware), decryption of affected files without the necessary decryption key is extremely difficult, making removal or remediation a significant challenge. As such, we recommend that all precautionary measures are taken to prevent the initial infection (see page 4, Actions). If an infection occurs, we recommend restoring all affected files from clean backups rather than paying the ransom demanded.

Infection vector
The binary file for the WannaCryptor ransomware is distributed to vulnerable Windows endpoints by a dropper that exploits the CVE-2017-0145 vulnerability in Microsoft’s SMB file-sharing services. This dropper is able to scan for vulnerable Internet-connected Windows machines that can be exploited. It is also able to scan the local area network (LAN) associated with any infected machines for other vulnerable systems, potentially magnifying its impact on an organization.

The exploit code used to leverage the CVE-2017-0145 vulnerability is notable for being publicly exposed in a leak of data allegedly stolen from the American National Security Agency (NSA) and posted online by hacking group The Shadow Brokers. A patch for the CVE-2017-0145 vulnerability has already been released in the March 2017 MS017-010 Security Bulletin published by Microsoft for all supported versions of Windows. All unpatched systems remain vulnerable and therefore can be attacked. As of the time of writing, machines using Windows 10 updated with all patches are not susceptible to this attack.

Infection
Once the WannaCryptor ransomware binary file has been dropped onto a vulnerable machine, it looks for and encrypts files so that users cannot access or use them in any way. The encryption is performed using the AES 128-bit encryption algorithms, which are extremely difficult to break. WannaCryptor looks for 179 different file types to encrypt, including .jpg, .xls, .doc, .dot, .gif, .jar, .mdb, .ppt, .rar and .zip files.

Detections
As of the time of writing, F-Secure detects all known variants of the WannaCryptor ransomware with a combination of generic detections and family-specific detections. Some of the detections were added prior to the outbreak and later renamed to reflect WannaCryptor’s latest development.

Consequences
Once all files on the machine are encrypted, a ransom demand is displayed. Screenshots and video of the ransowmare in action are available on F-Secure’s public blogpost. The ransom demanded is payable in the Bitcoin digital cryptocurrency. Depending on the data contained in the affected files, the number of machines affected in an organization’s network, and the ease of restoring the files from clean backups, the impact of a WannaCryptor infection can range from mild to severe.