We advise how to protect computers from WannaCry ransomware

If you have already heard about WannaCry's latest crypto-ransomware (also known as: WannaCrypt, WanaCrypt0r, WCrypt, Wcry), this reading will be a consolidation of the collected information for you. Otherwise, you can treat this article as an indispensable recommendation for every user, administrator, IT specialist and IT director. In a word, for every person who is responsible for the safety of the work environment in the office and at home.

Here are our tips on how to secure your computers at home and in the company.

WannaCry

Message about encrypted files in Polish.

The initial infection vector is not fully known. Some sources report a "traditional" social engineering attack using an infected attachment. However, this is not the most important information. From the point of view of those responsible for the state of integrity, confidentiality and data security, the important issue is how WannaCry spreads:

  • Ransomware uses an exploit (which leaked to the network) called EternalBlue on a vulnerability in the SMBv1 protocol.
  • WannaCry at & nbsp; infects files LAN scans for more "victim computers" and then copies itself to it and starts encryption.
  • Running in a virtual machine detects virtualisation of VirtualBox and Qemu.
  • Adds a window with ransom information to the auto-start.
  • Reads the operating system location information from the system registry and customizes the messages to the languages:
m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese
  • Each computer infection generates a unique RSA-2048 key. The public and private keys are saved locally. Each file with the following extension is encrypted using the AES-128-ECB ciphers.
  • The following files are encrypted:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
  • Detected for this servers C&C:
gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion
  • The ransomings sent are up to 3 different BTC portfolios for which over 150 payments have already been made:
blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • The first variants of WannaCry ransomware try to connect to the domain:
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

The domain was not registered in the first hours of the pest activity. This was done by an independent researcher who managed to discover this dependence. And it actually happened - after registering the domain implemented in the "kill switch" ransomware, it immediately interrupted attempts to infect computers. Unfortunately, this condition was met only for the first version of WannaCry. Subsequent, improved clones are already detected by independent researchers and providers of security solutions, but worst of all, they do not have such dependence. For end users, this means that at the moment they have to take care of their own safety.

It turns out that some security solutions block the above domain by effectively cutting off the virus connection with the "remote switch". As a result, the WannaCry ransomware in the basic version does not interrupt the encryption of files.

How to protect yourself?

WannaCry Ransomware spreads to other computers on the local network by means of file transfer via the vulnerable SMB protocol in the first version.

  • All versions of Windows are vulnerable to this attack if they do not contain updates published in the MS-17-010 bulletin.
  • Bulletin MS-17-010 was published in March 2017 and includes updates for Windows 10, Windows 8.1, Windows 7, Windows Vista and Windows Server 2016, Windows Server 2012, Windows Server 2008 and the Embedded version. Updates are available in Windows Update.
  • WannaCry's scale of spreading was so great that Microsoft released the update for the already supported Windows 8, Windows XP and Windows Server 2003 and Embedded equivalents. On this page it is possible to download and install the patch.
Wizualizacja zagrożenia na czas pisania tego artykułu.

At the moment, connecting to Wi-Fi networks without proper protection is not the best idea. To protect yourself against WannaCry, we recommend disabling the SMBv1 protocol in the control panel by deactivating the option„Obsługa udostępniania plików SMB1.0” w sekcji „Włącz lub wyłącz funkcje systemu Windows”.

Praktyka pokazuje, że aktualizacje systemu operacyjnego i oprogramowania oraz kopie zapasowe plików są szalenie ważne w kwestii bezpieczeństwa.

It expects to be infected more than one and a half million devices in the world and several thousand in Poland . It is not worth to look at the activities of criminals. If you do not know yet which antivirus software is the most effective in the fight against ransomware, you should read with our big test , in which we checked it.

WannaCry in practice

For the full transparency of the article:

  • The following video material has been developed for training purposes. 
  • We did not pay Arcabit for its development
  • The folder containing the sample wannacry.exe

    has been added to the exclusions from the scan (the anti-virus detected the threat with the signature).

  • If a threat is detected, the option to automatically move infected files to quarantine was selected in the scan options. This allowed to reduce all anti-virus messages.
  • The SafeStorage module works in correlation with the antivirus engine. Disabling real-time protection makes this module useless.
  • Due to the long scan of the entire operating system, the process of removing the threat is omitted and only the restore stage is shown.

Arcabit, a Polish provider of security solutions has developed a special SafeStorage mechanism that allows you to restore files after encryption. Fast and trouble-free data recovery is possible even when the ransomware is completely undetectable for the antivirus engine, as well as in the situation, when encrypted files are in network locations .

WannaCry does not impress on Arcabit Internet Security:

Similar mechanisms that allow you to recover files also have other antivirus solutions. However, they are not enabled by default, so they require additional configuration that most non-technical users rarely look at.

Aktualizacja #2 [15 maj 2017]

Pojawiły się wzmianki o kolejnej próbce, która posiada "zdalny wyłącznik" dla innej domeny:

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Aktualizacja #3 [15 maj 2017]

Przeanalizowano kolejną nową próbkę, która zawiera "wyłącznik" w domenie najwyższego poziomu (TLD) ".testing". Jest to na dzień dzisiejszy niepoprawna domena. Ze względu na brak możliwości zarejestrowania "domeny.testing" dezaktywacja tego wariantu ransomware nie jest możliwa. Ale...

... istnieje wyjątek od tej reguły - wewnętrzny serwer DNS. Tylko w taki sposób możliwa jest zmiana nazwy mnemonicznej (zrozumiałej dla człowieka) na odpowiadający jej adres IP. 



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.