Wannacrypt0r-FACTSHEET.md · GitHub

Warning: for Windows systems: important spread of #WannaCry (#Wcry) ransomware

▻http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html?m=1
▻https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide

The malware/worm is causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organisations in multiple countries, including the UK, Spain, Germany, and Turkey. Telefonica, FedEx, and the UK government’s National Health Service (NHS) have been hit. Operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.

The ransomware completely encrypts all your files and render them unusable. They ask you to pay some money to get the decryption key. ($300 to $600 worth in bitcoins). Paying does not guarantee you will get a decryption key though.

The malware spreads through social engineering e-mails.
Be careful with any attachments you receive from unknown sources (and even known sources). Make sure the files are sent intentionally.
Watch out for .pdf or .hta files, or links received via e-mail that point to .pdf or .hta files.

More than 45.000 computers worldwide have already been infected, but there appears to be a kill switch, i.e. a way to stop its spreading.
As one of the first operations, the malware tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the program terminates.

This can be seen as a kind of kill switch provision, or perhaps it had some particular reason. Whichever it is, the domain has now been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the malware. This will of course not help anyone already infected.

Microsoft has released a patch to block the malware on Windows machines:

MS17-010
▻https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

It is important to apply the patch because other variants of the malware can exploit the same vulnerability and/or use a different domain name check.

Nice technical analysis of the worm:

▻https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r

And more technical info about the worm itself: (careful)

▻https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

typedef struct _wc_file_t {
char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
uint32_t keylen;             // length of encrypted key
uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
uint32_t unknown;            // usually 3 or 4, unknown
uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

#malware #worm #ransomware #NSA #Shadow_Broker #EternalBlue