It has been accounted for that another ransomware named as “Wannacry” is spreading generally. Wannacry encodes the documents on contaminated Windows frameworks. This ransomware spreads by utilizing a powerlessness in executions of Server Message Block (SMB) in Windows frameworks. This exploit is named as ETERNALBLUE.
The ransomware called WannaCrypt or WannaCry encodes the PC’s hard drive and after that spreads along the side between PCs on a similar LAN. The ransomware likewise spreads through malicious attachment to messages.
In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
After infecting, this Wannacry ransomware displays following screen on infected system:
It likewise drops a document named !Please Read Me!.txt which contains the content clarifying what has happened and how to pay the payoff.
WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Less common and nation-specific office formats (.sxw, .odt, .hwp).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
Indicators of compromise:
Ransomware is writing itself into a random character folder in the ‘ProgramData’ folder with the file name of “tasksche.exe” or in ‘C:Windows’ folder with the file-name “mssecsvc.exe” and “tasksche.exe”.
Ransomware is granting full access to all files by using the command:
Icacls . /grant Everyone:F /T /C /Q
Using a batch script for operations:
hashes for WANNACRY ransomware:
- use endpoint protection/antivirus solutions to detect these files and remove the same
The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:
Note: For update on latest Indicators of Compromises, please see references to security vendors given in references section
- Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers from Secnic. Repeat audits at regular intervals.
- Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report such instances of fraud to Secnic Consultancy Services