Overview of the WannaCry worm
First, a quick overview of the WannaCry worm for those unfamiliar with the inner workings of this ransomware:
Worm (a.k.a. mssecsvc.exe)
The worm is the first-stage dropper and is responsible for the worming behavior of this ransomware. It is 3.6MB (3723264 bytes) in size, and contains the URL “kill-switch” along with the SMB exploit for MS17-10. It contains the second-stage dropper in the clear as a resource named ‘R’, Since the dropper is in the clear and not otherwise compressed or obfuscated, string-based detections made for the dropper will always hit on the worm too, unless other conditions are added to those rules.
The propagation works by randomly generating IP addresses and trying to connect and then exploit the remote system. We’ll go into detail later about how the exploit payload is created, but the key thing to know is that the payload is generated in memory and delivered over the network to the exploited process’s memory. Once code execution is passed to the payload, its sole purpose is to drop a copy of the worm to disk and execute it.
This is where most antivirus (AV) vendors, including Cylance®, will have an opportunity to prevent WannaCry. Unless, of course, the vendor hooks functions in kernel processes, which is a risky proposition and can even increase the attack surface.
- Cylance WannaCry Landing Page
- CylancePROTECT vs. WannaCry Demo Video
- Cylance vs. WannaCry Blog Post – from Friday, May 12
- Cylance Technical WannaCry Blog Post – from Wednesday, May 17
- TITAN SI Tests: WannaCry Ransomware vs. 8 Other AV Solutions – Competitive Intel from a Cylance Platinum Partner in Malaysia
- Where can I find more information?
Refer to the United States Computer Emergency Readiness Team post for complete details: https://www.us-cert.gov/ncas/alerts/TA17-132A
- How did this attack happen?
It was believed that the source of the attack was from an infected email.
- Is the attack over?
Nope. There were reports that the ransomware was stopped with a kill switch, however it was only slowed down. Companies should stay diligent and stay on top by keeping their systems up-to-date.
- What does it do?
The ransomware goes under the names: WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. It behaves like a worm that propagates automatically, making it incredibly dangerous. It encrypts files on the computers that are affected and spreads to other computers via the local network and demands that you pay a ransom in Bitcoin exchange for the decryption.
- What can I do about this threat?
Microsoft released a patch this past March for all supported of Windows. If you are on Windows XP, 8 or Server 2003, it is recommended that you install the latest security update.
- Although there’s a kill switch, you can also whitelist the following domains:
Whitelisting should prevent your AV, URL Filters, and firewalls from blocking those addresses. You can also put the above-mentioned domain names on a system’s hosts file and on the internal DNS servers to ensure that the kill switch servers never go silent but you must be certain that the machine(s) you point to are always available.
- What to do if your computer is infected?
If you suspect you have an infected machine that cannot reach either of the hosts mentioned above, the system is ransomed. You can find more information about that here: https://www.ncsc.gov.uk/blog-post/fi…d-ransomware-0
Contact your GA administrator. Although security tools are able to detect and remove ransomware, it is important to stay diligent and follow steps designated by your organization.
Groupe Access was founded in 1993 and has become one of the leading hardware and information technology (IT) services firms in Canada. Groupe Access provides end-to-end hardware, IT and business process services to clients across Canada.