[menog] WannaCry Ransomware
Arash Naderpour
arash_mpc at parsun.com
Thu May 25 02:10:07 UTC 2017
Thanks Khalid, a quick note to add:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is currently up and is
sinkholed, but this is a temporary fix and the domain(s) will most likely
switch quickly.
Regards,
Arash Naderpour
On Thu, May 25, 2017 at 1:12 AM, KHALID SAMARA <pc-chair at menog.org> wrote:
> Dears,
>
>
>
> Following on the below discussion below ; I would like to add some
> related information about this ransomware attack in several emails ;
>
>
>
> first , as many of you may be know that WCry or WannaCry
> maleware exploits a Windows SMB vulnerability to enable propagation after
> having established a foothold in an environment or also even through
> malicious links in spam messages.
>
> This propagation mechanism can distribute the malware both within the
> compromised network & over the public internet ; and the exploit used here
> codenamed “EternalBlue”; however this exploited vulnerability, was
> patched in Microsoft MS17-010.
>
>
>
> The malware usually add an encrypted data files with the WCRY extension;
> also it used to drop & execute a decryptor, then demands $300 that should
> be paid in Bitcoins to decrypt the data; If the user doesn’t pay the
> ransom within three days, the amount doubles to $600; after seven days
> without payment, WannaCry will delete all of the encrypted files and all
> data will be lost!
>
>
> Below some of the filetypes that are targeted and encrypted by WannaCry:
>
> 3g2.3gp.accdb.aes.ai.asc.asf.asm.asp.avi.backup.bak.at.bmp.
> brd.bz2.cgm.class.cmd.cpp.crt.cs.csr.csv.db.dbf.dch.dif.dip.
> djvu.doc.docb.docm.docx.dot.dotm.dotx.dwg.edb.eml.fla.flv.
> frm.gif.gpg.gz.hwp.ibd.iso.jar.java.jpeg.jpg.js.jsp.key.lay.lay6.
>
> mdb.mdf.mid.mkv.mml.mov.mp3.mp4.mpeg.mpg.msg.myd.myi.nef.
> odb.pas.pdf.pem.pfx.php.pl.png.pot.potm.potx.ppam.pps.
> ppsm.ppsx.ppt.pptm.pptx.ps1.psd.pst.rar.raw.rb.rtf.sch.sh.
> sldm.sldx.slk.sln..swf.sxc.sxd.sxi.sxm.sxw.tar.tbk.tgz.
> tif.tiff.txt.uot.vb.vbs.vcd.vdi.vmdk.vmx.vob.vsd.wav.wb2.wk1.zip
>
>
>
> This malware uses encrypted Tor channels for command and control
> communications; trying to query for :-
>
> ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com
>
> And sometimes to (www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test.)
> etc..
>
> If it cannot contact this domain files or if it cannot make a HTTP
> request to the resolution of the mentioned domain then the malware will
> start to encrypt files.
>
>
>
> However and as workaround to this issue; network administrators can
> locally sinkhole this domains or other domains by adding A-record to their
> DNS server and then translate this domain to any of the existing sinkhole
> IPs.
>
>
>
> This malware enumerates the network adapters and determines which subnets
> the system is on. then malware then generates a thread for each IP on the
> subnet. Each of these threads attempt to connect to the IP on TCP port 445
> and, if successful, attempt exploitation of the system using the
> EternalBlue SMB exploit.
>
>
>
> However; below some of indicators of compromise could be used to identify
> potentially WnnCry activity :-
>
> *MD5s related samples:*
>
> 29365f675b69ffa0ec17ad00649ce026
>
> 2b4e8612d9f8cdcf520a8b2e42779ffa
>
> 2ca9ea7966269b22b5257f7a41817e1f
>
> *Related URLs:*
>
> iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
>
> ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
>
> iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
>
> *Related Tor Sites:*
>
> cwwnhwhlz52maqm7[.]onion; gx7ekbenv2riucmf[.]onion ;
> sqjolphimrr7jqw6[.]onion
>
> *Related Executables:*
>
> C:\Windows\mssecsvc.exe ; C:\Windows\tasksche.exe
>
> *Related Processes Started:*
>
> cscript.exe //nologo m.vbs
>
>
>
>
>
> There is no confirmed fix for WannaCry available at this time.
> Antimalware companies and antivirus companies are trying to find a way to
> decrypt files on infected computers, but currently still now no way
> available now to do that .
>
>
> Regards,
>
>
> khalid
>
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 20 May 2017 17:32:52 +0300
> From: Harith Dawood <alwathiq2007 at gmail.com>
> Subject: Re: [menog] WannaCry Ransomware
> To: Hisham Ibrahim <hmi at ripe.net>
> Cc: MENOG <menog at menog.org>
> Message-ID:
> <CAH3nW1+xmhpqGEz2Cn_ivs_ro2Ynz+wrzugqo=0eLd82+PXUUA@
> mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Dear Mr. Hisham Ibrahim
>
> Thank you very much for your important information.
>
> Best regards;
> Harith
>
> On Mon, May 15, 2017 at 12:42 AM, Hisham Ibrahim <hmi at ripe.net> wrote:
>
> > Dear All,
> > As you are no doubt aware, we are currently experiencing an unprecedented
> > ransomware attack at a global scale. The malware was detected on 12 May
> > 2017 and has the capability to spread across networks taking advantage
> of a
> > critical exploit in a popular communication protocol used by Windows
> > systems.
> > Many of you have already reached out and are actively involved in
> > containing this threat. It is believed that the infection and propagation
> > rate may go up on Monday when people return to their workplaces.
> > Below is the Europol warning / update about the current ransomware
> threat.
> > If you think this would be useful to anyone in our community, please
> > forward it on.
> > A list of tips and advice on how to prevent ransomware from infecting
> your
> > electronic devices can be found at:
> > https://www.europol.europa.eu/sites/default/files/images/
> > editor/ransomware-01.jpg
> > Regards,
> > Hisham
> >
> > Begin forwarded message:
> >
> > *If you are a victim or have reason to believe that you could be a
> victim*
> >
> > This is link provides some practical advice on how to contain the
> > propagation of this type of ransomware:
> > *https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance*
> > <https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance>
> >
> > The most important step involves patching the Microsoft vulnerability
> > (MS17-010):
> > *https://technet.microsoft.com/en-us/library/security/ms17-010.aspx*
> > <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
> >
> > A patch for legacy platforms is available here:
> >
> > *https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks*
> > <https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks>
> >
> > In instances where it is not possible to install the patch, manage the
> > vulnerability becomes key. One way of doing this would be to disable the
> > SMBv1 (Server Message Block) protocol:
> > *https://support.microsoft.com/en-us/help/2696547*
> > <https://support.microsoft.com/en-us/help/2696547>
> > and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139,
> > 445].
> >
> > Another step would be to update endpoint security and AV solutions with
> > the relevant hashes of the ransomware (e.g. via VirusTotal).
> >
> > If these steps are not possible, not starting up and/or shutting down
> > vulnerable systems can also prevent the propagation of this threat.
> >
> > *How to prevent a ransomware attack?*
> >
> >
> > 1. *Back-up! Back-up! Back-up!* Have a backup and recovery system in
> > place so a ransomware infection can?t destroy your personal data
> forever.
> > It?s best to create at least two back-up copies on a regular basis:
> one to
> > be stored in the cloud (remember to use a service that makes an
> automatic
> > backup of your files) and one stored locally (portable hard drive,
> thumb
> > drive, etc.). Disconnect these when you are done and store them
> separately
> > from your computer. Your back-up copies will also come in handy
> should you
> > accidentally delete a critical file or experience a hard drive
> failure.
> > 2. *Use robust antivirus software* to protect your system from
> > ransomware. Always use the latest virus definition/database and do not
> > switch off the ?heuristic? functions as these help the solution to
> catch
> > samples of ransomware (and other type of malware) that have not yet
> been
> > formally detected.
> > 3. *Keep all the software on your computer up to date.* When your
> > operating system (OS) or applications release a new version, install
> it. If
> > the software you use offers the option of automatic updating, enable
> it.
> > 4. *Trust no one. Literally.* Any account can be compromised and
> > malicious links can be sent from the accounts of friends on social
> media,
> > colleagues or an *online gaming*
> > <https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/> partner.
> > Never open attachments in emails from someone you don?t know.
> Similarly,
> > don?t open attachments in emails from somebody you know but from whom
> you
> > would not expect to receive such as message. Cybercriminals often
> > distribute fake email messages that look very much like email
> notifications
> > from an online store, a bank, the police, a court or a tax collection
> > agency, luring recipients into clicking on a malicious link and
> releasing
> > the malware into their system. If in doubt, call the sender at a
> trusted
> > phone number to confirm the legitimacy of the message received.
> > 5. *Enable the ?Show file extensions? option in the Windows settings
> > on your computer.* This will make it much easier to spot potentially
> > malicious files. Stay away from file extensions like ?.exe?, ?.com?,
> ?.vbs?
> > or ?.scr?. Cybercriminals can use several extensions to disguise a
> > malicious file as a video, photo, or document (like hot-chics.avi.exe
> or
> > report.doc.scr).
> > 6. If you discover a rogue or unknown process on your machine,
> *disconnect
> > it immediately from the internet or other network connections (such
> as home
> > Wi-Fi)* ? this will prevent the infection from spreading.
> >
> >
> >
> >
> > _______________________________________________
> > Menog mailing list
> > Menog at lists.menog.org
> > http://lists.menog.org/mailman/listinfo/menog
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.menog.org/pipermail/menog/attachments/
> 20170520/7fd1fc56/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Sat, 20 May 2017 20:26:33 +0400
> From: Luqman Kondeth <luqman.kondeth at nyu.edu>
> Subject: Re: [menog] WannaCry Ransomware
> To: Harith Dawood <alwathiq2007 at gmail.com>
> Cc: Hisham Ibrahim <hmi at ripe.net>, MENOG <menog at menog.org>
> Message-ID:
> <CAP32F_zAK5shpB4Dx6ptS3OREtUX-UwnVPtf4paaRsNSgH_-iw at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
>
> Has anyone been able to observe the malware network behavoiur in action ?
> I ask this because we noticed large amounts of tcp port scans on 445 from
> the 12th which is when the malware was reported.
> What is interesting however is that the machines that were doing this in
> our network were Apple Macs. Is it possible that the Macs are a carrier
> for the worm ? Anyone seen anything similar?
>
> We also noticed the following
>
>
> There is increased amount of traffic on port 445 and 139 from the 12th of
> this month.
> We also see certain IP addresses being constantly probed on port 445
> The below are the IP addresses
>
> 192.168.0.2
> 100.100.129.90
> 149.236.99.1
> 172.18.4.200
>
> The pattern we see is usually a connection attempt on port 445 to one of
> the above ports followed by a large number of 445 traffic to random IPs.
>
> Thanks
>
> On 20 May 2017 6:33 p.m., "Harith Dawood" <alwathiq2007 at gmail.com> wrote:
>
> > Dear Mr. Hisham Ibrahim
> >
> > Thank you very much for your important information.
> >
> > Best regards;
> > Harith
> >
> > On Mon, May 15, 2017 at 12:42 AM, Hisham Ibrahim <hmi at ripe.net> wrote:
> >
> >> Dear All,
> >> As you are no doubt aware, we are currently experiencing an
> unprecedented
> >> ransomware attack at a global scale. The malware was detected on 12 May
> >> 2017 and has the capability to spread across networks taking advantage
> of a
> >> critical exploit in a popular communication protocol used by Windows
> >> systems.
> >> Many of you have already reached out and are actively involved in
> >> containing this threat. It is believed that the infection and
> propagation
> >> rate may go up on Monday when people return to their workplaces.
> >> Below is the Europol warning / update about the current ransomware
> >> threat. If you think this would be useful to anyone in our community,
> >> please forward it on.
> >> A list of tips and advice on how to prevent ransomware from infecting
> >> your electronic devices can be found at:
> >> https://www.europol.europa.eu/sites/default/files/images/edi
> >> tor/ransomware-01.jpg
> >> Regards,
> >> Hisham
> >>
> >> Begin forwarded message:
> >>
> >> *If you are a victim or have reason to believe that you could be a
> victim*
> >>
> >> This is link provides some practical advice on how to contain the
> >> propagation of this type of ransomware:
> >> *https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance*
> >> <https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance>
> >>
> >> The most important step involves patching the Microsoft vulnerability
> >> (MS17-010):
> >> *https://technet.microsoft.com/en-us/library/security/ms17-010.aspx*
> >> <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
> >>
> >> A patch for legacy platforms is available here:
> >>
> >> *https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks*
> >> <https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks>
> >>
> >> In instances where it is not possible to install the patch, manage the
> >> vulnerability becomes key. One way of doing this would be to disable the
> >> SMBv1 (Server Message Block) protocol:
> >> *https://support.microsoft.com/en-us/help/2696547*
> >> <https://support.microsoft.com/en-us/help/2696547>
> >> and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139,
> >> 445].
> >>
> >> Another step would be to update endpoint security and AV solutions with
> >> the relevant hashes of the ransomware (e.g. via VirusTotal).
> >>
> >> If these steps are not possible, not starting up and/or shutting down
> >> vulnerable systems can also prevent the propagation of this threat.
> >>
> >> *How to prevent a ransomware attack?*
> >>
> >>
> >> 1. *Back-up! Back-up! Back-up!* Have a backup and recovery system in
> >> place so a ransomware infection can?t destroy your personal data
> forever.
> >> It?s best to create at least two back-up copies on a regular basis:
> one to
> >> be stored in the cloud (remember to use a service that makes an
> automatic
> >> backup of your files) and one stored locally (portable hard drive,
> thumb
> >> drive, etc.). Disconnect these when you are done and store them
> separately
> >> from your computer. Your back-up copies will also come in handy
> should you
> >> accidentally delete a critical file or experience a hard drive
> failure.
> >> 2. *Use robust antivirus software* to protect your system from
> >> ransomware. Always use the latest virus definition/database and do
> not
> >> switch off the ?heuristic? functions as these help the solution to
> catch
> >> samples of ransomware (and other type of malware) that have not yet
> been
> >> formally detected.
> >> 3. *Keep all the software on your computer up to date.* When your
> >> operating system (OS) or applications release a new version, install
> it. If
> >> the software you use offers the option of automatic updating, enable
> it.
> >> 4. *Trust no one. Literally.* Any account can be compromised and
> >> malicious links can be sent from the accounts of friends on social
> media,
> >> colleagues or an *online gaming*
> >> <https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/> partner.
> >> Never open attachments in emails from someone you don?t know.
> Similarly,
> >> don?t open attachments in emails from somebody you know but from
> whom you
> >> would not expect to receive such as message. Cybercriminals often
> >> distribute fake email messages that look very much like email
> notifications
> >> from an online store, a bank, the police, a court or a tax collection
> >> agency, luring recipients into clicking on a malicious link and
> releasing
> >> the malware into their system. If in doubt, call the sender at a
> trusted
> >> phone number to confirm the legitimacy of the message received.
> >> 5. *Enable the ?Show file extensions? option in the Windows settings
> >> on your computer.* This will make it much easier to spot potentially
> >> malicious files. Stay away from file extensions like ?.exe?, ?.com?,
> ?.vbs?
> >> or ?.scr?. Cybercriminals can use several extensions to disguise a
> >> malicious file as a video, photo, or document (like
> hot-chics.avi.exe or
> >> report.doc.scr).
> >> 6. If you discover a rogue or unknown process on your machine,
> *disconnect
> >> it immediately from the internet or other network connections (such
> as home
> >> Wi-Fi)* ? this will prevent the infection from spreading.
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Menog mailing list
> >> Menog at lists.menog.org
> >> http://lists.menog.org/mailman/listinfo/menog
> >>
> >>
> >
> > _______________________________________________
> > Menog mailing list
> > Menog at lists.menog.org
> > http://lists.menog.org/mailman/listinfo/menog
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.menog.org/pipermail/menog/attachments/
> 20170520/98fc73a2/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Menog mailing list
> Menog at lists.menog.org
> http://lists.menog.org/mailman/listinfo/menog
>
>
> End of Menog Digest, Vol 107, Issue 15
> **************************************
>
> _______________________________________________
> Menog mailing list
> Menog at lists.menog.org
> http://lists.menog.org/mailman/listinfo/menog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.menog.org/pipermail/menog/attachments/20170525/f830697f/attachment-0001.html
More information about the Menog
mailing list