WannaCry: the world’s first global ransomware attack
12th May 2017 , by
Infection Map showing affected computers across the globe. Credit: Malware Tech
This blog post will be updated as more news becomes available and as Secarma consultants analyse the situation. The following is a high level description of the breaking issue with further technical details to follow so please check back regularly or follow @secarma for updates…
Update 22/05/2017 - 10:00am
Wanakiwi recovers your files
Researchers have discovered a flaw in the "WannaCry" ransomware which can be used to recover your encrypted files. The conditions where this will work are:
- Your computer has been infected by the original WannaCry ransomware (version which has this operational flaw).
- The infected computer has not been rebooted or powered off since the infection.
If you are in this situation then you can use "wanakiwi" (https://github.com/gentilkiwi/wanakiwi) to extract the decryption key from the system memory to recover your files. It is tested to work on Windows XP through to Windows 7, and the information security community has been feeding back that it works reliably.
Update 15/05/17 21:00
Using Nmap to detect nodes vulnerable to MS17-010
The WannaCry ransomware attack is currently exploiting a flaw within Microsoft Windows which is addressed by their MS17-010 update. If you want assurance that your hosts are protected against this then you can use a freely available tool called “nmap” which has released a detection script.
To install nmap on Windows you should follow the guide here:
Note that this will install “winpcap” which will require you to restart your machine.
Nmap is available as a package for most Linux distributions so you can use your package manager as shown below:
- apt-get install nmap #Debian based
- yum install nmap # CentOs/Redhat
This will not require a restart and should work.
When investigating this script it was found that it did not work on older versions of nmap. We have confirmed that it works on nmap 7.40 which was the latest release from the Debian release stream.
How to scan a host for MS17-010
Download the new “smb-vuln-ms12-010.nse” script from the link below:
Then the syntax to launch a scan is shown below:
nmap -p 445 -script=./smb-vuln-ms17-010.nse <<IP ADDRESS or RANGE>>
For example, if your network range is 192.168.0.1-255 then you could scan your entire range using this command:
nmap -p 445 -script=./smb-vuln-ms17-010.nse 192.168.0.1-255
The following shows the output of the script when executed against one vulnerable target:
Update 15/05/17 13:20
Variants Increase to Number in the Hundreds, Microsoft takes a Swipe at the NSA
Anti-virus companies have reported a surge in the number of wannacry variants they have detected. One company AV-TEST has identified 452 unique variants of wannacry in the last 24 hours. It is unclear if these variants are part of the original attack using the MS17-010 exploit or just variants of the wannacry ransomware itself. Either could be the case. The numbers could be achieved by the original creators modifying their code to use different command and control servers for example. As the exploit is publicly available others could be combining it with the wannacry ransomware to create a duplicate worm. Equally likely is the case that the wannacry ransomware is now particularly popular among various different cybercriminals who will be distributing it my more traditional methods such as email attachments. It is likely it will turn out to be a combination of all three approaches.
On a related note, Brad Smith President and Chief Legal Officer of Microsoft has written a blog post specifically calling out the US Government and the NSA for not disclosing the vulnerability which allowed this attack to be so devastatingly effective. Smith writes
“this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
Update 14/05/17 12:33
In an astonishingly short amount of time at least two new variants have been created. One variant appears to have removed the kill switch completely. However due to an error in the code the ransomware element appears not to be functional. The way in which this was done suggests that this attacker did not have access to the original code. Editing the kill switch out of the hexadecimal version of the code appears to have “broken” the ransomware functionality.
A second variant with a different kill switch URL of
Was identified by by cloud company Comae.io, registered and halted. https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
Given the ease with which new variants may now be developed an increase in numbers and modifications is predicted to occur within a matter of hours.
Update 13/05/17 20:16
Bitcoin Addresses, Command and Control Servers Identified, Attack Halted Temporarily.
The following addresses are the links to the bitcoin wallets where the ransom demanded is required to be sent to:
Analysis of the code has identified five Command and Control servers using the anonymous TOR service. These are the addresses the malware reaches back to for further instructions:
The tor network is a collection of servers which can be used to access the internet in an anonymous fashion. Originally developed by the American navy in the 1990’s, tor sends traffic through multiple servers run by volunteers throughout the world. Put simply each server only knows where a request has come from and where it has to go to next creating a long chain which separates any given user from the site or service they are trying to reach. Websites and servers on tor are identified by “.onion” addresses. Taken from tor’s name as “The Onion Router” which reflects the many layers used to achieve anonymity. As such tor sites are a perfect way to control malware such as this due to the extreme difficulty in finding out who it in control of any given site.
Attack Halted for now …
On Friday it was identified that the malware contains a “kill switch”. This is a URL which the malicious software checks before it commences encrypting files. A british researcher, using the twitter handle @malwaretechblog noticed that the address had not actually been registered and proceed to do so for just £8. The address in question is:
This has effectively stopped the spread of the original worm, however anyone with even basic computer skills would be able to remove this failsafe and further variants are predicted to be on the way. The full story may be found here http://www.bbc.co.uk/news/technology-39907049
Update - 13/05/17 14:48
As the attack continues a large number of organisations around the world have been affected. So far examples of affected organisations are:
- NHS (uk) turning away patients, unable to perform x-rays.
- Nissan (uk)
- Telefonica (spain)
- Iberdrola and Gas Natural
- FedEx (us)
- University of Waterloo US
- Russia interior ministry & Megafon (russia)
- VTB (russian bank)
- Russian Railroads (RZD)
- Сбербанк - Sberbank Russia
- Frankfurt and Neustadt train stations
- China some secondary schools and universities had been affected
- China Yanshui County Public Security Bureau
- Renault (France)
- University of Milano-Bicocca
- A mall in singapore
- ATMs in China
- Norwegian soccer team ticket sales
- STC telecom
Update - 13/05/17 13:37
It has been over 24 hours since this attack reached the media and to some extent the initial panic has died down to be replaced with a sigh of relief, thanks for what was described as “accident” which halted the spread and an uncomfortable feeling of uncertainty of what may come next. Here is what we now know…
The malware was indeed a ransomware variant known as wannacry or Wcry or wannacryptor 2.0. It seems the attack worked like a worm, a type of malicious software which propagates itself. As mentioned before the attack used a known vulnerability in SMB to gain entry, encrypt one machine then scan for other connected machines on the network in order to continue the attack. Though certainly in the UK the press latched on to the fact that the attack had caused a lack of availability and access to many NHS systems it is now clear that this was simply an effect of a much larger assault on all systems in the world running unpatched versions of SMB.
This afternoon the press reported a major cyber attack on the NHS. This has caused the Internet to descend into virtual meltdown with contradictory statements, ill-informed opinion, supposition and speculation abounding. At the time of writing the following high level details are known:
- The “cyber attack” is a type of attack known as ransomware
- This has affected a number of GPs, hospitals and possibly whole NHS Trusts
- Medical providers in England, Scotland and Wales have been effected
- Some hospitals have been forced to refuse all but the most urgent emergency cases
- Many affected medical institutions claim their systems are no longer accessible and are reduced to pencil and paper
The attack appears to use the “EternalBlue” exploit MS17-010 which was recently exposed by a group called “The Shadow Brokers” who, it is alleged, acquired the exploit by hacking into servers owned by the American National Security Agency (NSA). The exploit leverages a vulnerability in the SMB protocol.
SMB standing for Server Message Block uses TCP port 445. It is a long standing Windows protocol which allows computers to communicate with each other to perform functions such as shared access to files or printers. SMB is designed for use on local area networks and should not be exposed to the Internet. However, security misconfigurations may result in this being the case.
Kaspersky states that the current global extent of the attack and the total number of vulnerable devices number at least 200K. They estimate that 46K devices have been attacked and 150K devices are currently “at risk”.
Recommended triage action
Our comment on this is simple: 150K people should drop everything they are doing to take action now. To triage the problem take these actions in whichever order you can:
- Modify your firewall configurations to disable SMB on the Internet.The protocol operates on TCP ports 137, 139 and (most importantly) 445. It also operates over UDP ports 137 and 138.
- Apply the Microsoft’s patch. Details may be found here.
Each action should address the problem on its own. However, Secarma recommend taking both.
What is ransomware?
Ransomware is a relatively recent cyber attack method. It is frequently delivered via a phishing attack where a user is lured into clicking on a link in an email or opening a malicious attachment. The email is used to encourage the victim to interact with a “payload”. In the case of ransomware the payload results in data on the victim’s computer being encrypted rendering it useless.
A ransom is then demanded in order to decrypt the data. In the example of a single computer strategies such as regular offline backups are sufficient to deal with such a threat. However, in the cases of computers which are part of a bigger system, which have access to stores of shared files, to network resources, to databases, the ransomware may spread like a virus.
Infecting one computer will not only hold it to hostage but may encrypt every other machine which it is connected to and in turn every machine that is connected to, creating a cascade effect. This means that a cybercriminal can hold an entire organisation hostage by achieving just one successful infection. Such seems to be the case here.
Due to the relative simplicity of the code required and the ease with which anyone with even basic computing skills may send tens of thousands of emails at once. This has become an effective and lucrative method of extorting money.
Was this targeting the NHS?
This attack, which was most likely not aimed at the NHS in particular, is a worrying development. In recent years sensitive organisations along with individuals have been victims of this attack vector. Examples include hospitals, police departments and schools to name a few. In this case, where multiple medical institutions have been effected, there is a real danger of loss of life.
Take the example of an emergency patient who is admitted to hospital in the following hours where access to their medical history is not currently available. This is perhaps one of the first true examples of a cyber attack becoming “kinetic”. This is a term experts use to identify an attack which has material consequences in reality.
Secarma consultants are investigating this issue and are standing by to help any organisation affected by this incident. We are analysing the extent of the attack, its origins and providing support to clients at this time of need. As this attack is likely based on phishing emails Secarma has developed a course to inform and train staff on how to avoid such attacks. Details of this course and how Secarma consultants can help your company or organisation may be found by contacting email@example.com
Sources at Police Scotland have told Secarma "we are all equally worried about this development and the whole intel community is working together to fix this".
Although the sensationalists in cybersecurity talk about advanced and complex threats, this attack has come from a known vulnerability.
Long term mitigation advice
Secarma consultants offer the following advice to mitigate this and similar attacks in the future:
- Applying patches especially with security updates in a timely manner is essential. This goes for everything, from Windows update as well as applications such as Adobe Reader and JAVA.
- Organisations should have a fully developed and agreed patching policy which includes a methodology to deal with “out of bound” critical patches to cover issues such as these.
- Keep antivirus software up to date. Virus definitions are normally updated at least once a day, ensure your virus database is updated regularly to protect against the latest threats. Utilise software which will scan in real time threats from emails, downloads and web browsing.
- Engage in regular penetration testing and vulnerability scanning using a reliable 3rd party supplier of these services.
- Conduct a build review of your user workstations and laptops using a 3rd party supplier is particularly important. This will ensure that the your patch management and configuration make your organisation harder to exploit using phishing techniques.
- To add depth to your defences consider adding additional malware scanning technology into your email chain. Relying on one anti-virus vendor from mail server and end node protection does not guard against a threat to that specific product.
- Consider reviewing all routes to the Internet from at least the user area of your LAN. This needs to holistically check all routes including: TCP, UDP, ICMP, HTTP/HTTPS. By improving egress filtering you can often prevent a successful infection dialing home with your data or to get commands from the attacker.
- Keep regular backups. Ensure you have a verified, tested and working process for restoring from backups. Backups should be held preferably off site, or on some physical media that isn't used or another purpose.
- Train your staff. Given threats such as ransomware are on the increase it is even more important to establish a culture of security awareness. Targeted phishing attacks will only work IF an attacker can convince a user to interact with the payload.
- Engage a supplier to run a “simulated phishing” exercise within your organisation. This can give you metrics to understand your potential exposure. It will also highlight the value of staff training and demonstrate your return on investment over time.