Reported by multiple news and information security outlets, Wannacry ransomware hit organizations in over 100 countries and is believed to be the largest successful attack to have occurred to date.
WannaCry ransomware is successfully infecting organizations around the world. Malicious persons have taken this information and infected devices through common phishing attacks. The inclusion of infected attachments in the email is the delivery mechanism of the payload. With the infection, the victim device is known to attempt to scan for open TCP port 445, which appears to be an attempt to identify additional victims. (Additional attack vector may also be found in victim machines having TCP port 445 exposed to the Internet.)
Once executed, the ransomware utilizes a loading system that contains an AES-encrypted DLL and generates a file, “t.wry”, that is written to disk. Due to the loading and execution process, the DLL is not directly exposed on the disk (which would make it vulnerable to anti-virus scans). It then will perform a fetch of multiple malicious executable files, with the file encryption mechanism included in this process. The encryption of over 160 different file extensions then occurs (with encrypted files having wcry/.wncry extensions). Users are then presented with the common ransomware window that requests payment for the decryption keys.
Multiple websites have identified several indicators of compromise (SANS ISC), and common remediation practices are:
– Applying the latest Microsoft patch for MS17-010,
– Enabling of strong email SPAM filters,
– Scanning of all incoming/outgoing emails and filter attached executable files,
– Enforcing outbound port filtering (specifically for TCP ports 139 and 445)
– Ensure antivirus/anti-malware solutions are up to date,
– Ensure that you follow your security incident response plan and processes
– Ensure proper backup and recovery processes are followed.
At this time, decryption of files that have been affected by the ransomware is not possible. Foresite’s Incident Response team can assist with remediation for organizations who do not have an internal response team.
Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).