TÜV Rheinland Blog - Insights from Asia and Africa

TÜV Rheinland: Security Advisory – WannaCrypt

Posted by TUV Rheinland on May 16, 2017 2:43:20 PM
TUV Rheinland

Hundreds of thousands of machines infected by the global WannaCrypt ransomware outbreak. Patch your systems to avoid being the next victim.


The WannaCrypt ransomware campaign began at around 8 am UTC on Friday, May 12th, and has quickly gone global to become one of the largest ransomware attacks on record. At the time of writing, it was present in over 100 countries and had infected over hundred thousand computers in some of the world's largest institutions.



The Russian Interior Ministry reported over a thousand of its computers infected, in the UK 48 NHS [National Health Service] trusts were disrupted, as well as many computers in Germany. The private sector is also heavily impacted with infections at customers in the US, Spain, Portugal, France, in the UK; to name but a few.



Ransomware is nothing new, but what makes WannaCrypt different is its ability to self-propagate. It does this by exploiting a known vulnerability in Microsoft Windows Server Message Block (SMB) protocol [CVE-2017-0145] which allows for remote code execution on a vulnerable system. Code named 'EternalBlue,' this particular exploit was stolen from the NSA's Equation Group and then later made public by the Shadow Brokers hacking group on April 14th, 2017.

However, Microsoft had already issued a patch for this vulnerability two months ago on March 14th, 2017 [MS17-010]. It's designed to attack Windows 7 and Windows Server 2008 (or earlier) systems and takes advantage of a vast number of systems in use that are unpatched, or that are out of Microsoft support and have no patch available, e.g. Windows XP machines.



Once infected, a computer's files are encrypted and given a [.]WCRY file extension. The ransomware demands $300 in Bitcoin to be paid for each affected machine and goes on to threaten that, if payment isn't made within three days the ransom doubles to $600, and if not paid within a week, the files are deleted.

The initiating attack vector is most likely a Phishing attack designed to trick users into running the malware, or direct infection through the SMB exploit if a machine can be addressed. The threat arrives as a dropper Trojan that has two key components. The first tries to exploit the SMB vulnerability on other computers on the network, and the second is the WannaCrypt ransomware itself.

Importantly, the dropper tries to connect to the following domain using the API InternetOpenUrlA(). If successful, it acts like a 'kill switch, ' and the threat does not infect the system further with the ransomware, it just stops. This characteristic of the dropper was identified by a security researcher in the UK, who quickly purchased the domain and stopped further global propagation; at least until a new variant is released into the wild.

If unsuccessful, the dropper creates a service named mssecsvc2.0 with the function to exploit the SMB vulnerability on other computers addressable from the infected system. It then goes on to create the registry keys, and file structure required to execute the encryption of the computer’s files and issue the ransom via the desktop wallpaper.



To avoid becoming the next victim of the WannaCrypt ransomware outbreak, you should:

1. Start by patching your systems

For Windows 7 and Windows Server 2008 system, this means applying the MS17-010 patch to address the SMBv1 Remote Code Execution vulnerabilities. Also, and due to the scale of the current outbreak, Microsoft has just released an out-of-band patch for older operating systems including Windows XP, Windows 8, and Windows Server 2003. Besides installing the updates, Microsoft also advises that the SMBv1 protocol is disabled, as it is an old protocol that has been superseded by newer versions. You should also consider adding a rule on your router or firewall to block incoming SMB traffic on port 445.


2. Get your backups in order

One of the most fundamental protections against ransomware is the ability to restore from recent backups reliably. You will want to have multiple backups, with the ability to rollback to any point in time, and these should not be connected to the source machine, or they could get encrypted as well. Various cloud service providers offer good options here, with many professional backup services available.


3. Reduce the likely success of phishing emails

Enable strong spam filtering to reduce the probability of phishing emails reaching end users. Authenticate inbound email using Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. Educate your users and outline the dangers and the potential impact of ransomware on your business. Make them suspicious of every email they receive that they are not expecting, every link and every attachment.


4. And if you become a victim?

If you do become a victim of the outbreak, do not pay the ransom. It only creates a viable market for cyber criminals and motivates future ransomware attacks. You also cannot be sure it will get you your files back. Instead, contact law enforcement, your trusted cybersecurity partner and provide them with relevant logs to aid their investigations.


If you need help? 
Please contact one of our regional cybersecurity executives for immediate assistance here.

Topics: ICT