WanaCrypt0r ransomware hits it big just before the weekend

[AdvancedSetup]

https://www.malwarebytes.com/

 

Cybercrime | Malware

WanaCrypt0r ransomware hits it big just before the weekend

Posted: May 12, 2017 by Pieter Arntz

Reports of a massive, worldwide ransomware attack are dominating the news. As workers in Europe headed home for the weekend, ransomware started shutting down their systems. It soon spread to many other countries across the globe. Here’s what we know so far.

Big targets

National Health Service (NHS) England, and Telefonica, one of the largest telecom providers in the world, have each given out statements indicating that their systems have been brought to a grinding halt by a ransomware called WanaCrytp0r, which Malwarebytes detects as Ransom.WanaCrypt0r. The ransomware has also been observed hitting companies in Spain, Russia, Ukraine, and Taiwan.

Method

The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven’t found yet.

The demanded ransom of $300 per device and the potential risks to the public that come with the targets being big utility and healthcare companies seem to be in shrill contrast. We can only hope that the companies that were hit will be able to get their backups deployed quickly and can start the recovery from this cyberattack. 

Other Infection Vectors

While WanaCrypt0r has been observed spreading across local networks by utilizing the above exploit, its initial infection into a network is still being discovered completely. However, we tested one of the infection vectors, described earlier by Fox-IT, against our Anti-Exploit technology.   In doing so, we discovered another part of the attack chain we were able to stop.

 

This attack method relies upon a malicious phishing email, that includes a link to (or attached) PDF document, which when opened will download an ‘.HTA’ file that leads to eventual infection of the system that opened the e-mail.  We suspect there are possibly even more infection vectors spreading this malware and as we discover and analyze them, we will update this post.

Protection

Consumers and businesses alike should be sure their systems and software are updated with all current patches in order to stop the spread of infection. Both our consumer product, Malwarebytes, and our business product, Malwarebytes Endpoint Security, protect against this threat, since we detect this ransomware. And our anti-ransomware technology will stop any future unknown variants.

 

Here are a few screenshots of our products stopping this threat:

 

 

Edited May 13, 2017 by AdvancedSetup

[Don12]

Thank you AdvancedSetup. I'm currently running Malwarebytes Premium and Malwarebytes AdwCleaner.  Fortunately I didn't get hit with ransomware. In my opinion AdwCleaner completes the protection provided by MWB Premium. 

[AdvancedSetup]

Thanks, @Don12 - Yes, AdwCleaner is a great product. Glad we were able to merge them in with our products.

 

[zuma]

What about the Business client and managed client? Do they have the anti Ransome features like the consumer one?

[Clockedin]

The strangest thing happened on my PC today.  Left the machine up and was gone for part of the day.  When I came back I saw the red carrot and the web protection had been turned off. I tried to start the service and it would not let me.  I rebooted the system and now the Ransomeware service would not start.  I reinstalled 3.06 on my Win 7 from a back up, scanned the system and everything looks good.  Is there something that goes around disabling Malwarebytes in this manner ?

Edited May 13, 2017 by Clockedin
left a word out.. sorry

[Porthos]

3 hours ago, Clockedin said:

The strangest thing happened on my PC today.  Left the machine up and was gone for part of the day.  When I came back I saw the red carrot and the web protection had been turned off. I tried to start the service and it would not let me.  I rebooted the system and now the Ransomeware service would not start.  I reinstalled 3.06 on my Win 7 from a back up, scanned the system and everything looks good.  Is there something that goes around disabling Malwarebytes in this manner ?

 

You are missing the new version.

 

[Porthos]

4 hours ago, zuma said:

What about the Business client and managed client? Do they have the anti Ransome features like the consumer one?

Both our consumer product, Malwarebytes, and our business product, Malwarebytes Endpoint Security, protect against this threat, since we detect this ransomware. And our anti-ransomware technology will stop any future unknown variants.

[Nightwalker]

Does the anti-ransomware layer stop this proactively?

[AdvancedSetup]

4 hours ago, Nightwalker said:

Does the anti-ransomware layer stop this proactively?

Yes, if you're running the Premium version of Malwarebytes 3 its protection module will block this and others.

https://www.malwarebytes.com/premium/

 

[1PW]

Considering the global effects of this ransomware worm, it is somewhat surprising that a "Conficker/Downup/Downadup/Kido Worm-like" working group has not yet been formed/announced with a vulnerability testing page and an information page with an amalgamation of facts, namely for the users with less experience.

Reference: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Edited May 14, 2017 by 1PW

[Utomo]

is there any ways to track the wannacry author ? as so many country get hit 

[Aura]

13 hours ago, Utomo said:

somebody post this password. is this valid ? 

WNcry@2ol7

 

This is the password to the encrypted archive that contains the payload files. It is not the password to decrypt the encrypted files.

[SPTL]

A new version is out, without a kill switch https://mybroadband.co.za/news/security/210656-wannacry-ransomware-without-kill-switch-discovered.html

[David-B]

Does anyone know where I can get a sample of this to play with in a virtual machine? I am surprised out how hard it is to find a copy considering how bad it is.

[Porthos]

1 hour ago, David-B said:

Does anyone know where I can get a sample of this to play with in a virtual machine? I am surprised out how hard it is to find a copy considering how bad it is.

Sorry, we don't advise where to get samples.  Keep googling.

[David-B]

20 minutes ago, Porthos said:

Sorry, we don't advise where to get samples.  Keep googling.

Somehow I suspected that this was going to be the answer I received. Thanks anyway!

[Porthos]

9 minutes ago, David-B said:

Somehow I suspected that this was going to be the answer I received. Thanks anyway!

So very sorry. It is for everyone's protection. 

[David-B]

42 minutes ago, Porthos said:

So very sorry. It is for everyone's protection. 

Again, I can totally understand that, but if somebody here has a sample that they wouldn't mind private messaging me with (and if it does not violate the forum rules to do so) I would very much appreciate it.

[Yendor33]

Quote

 

 

While it's fantastic that MalwareBytes.org can stop the greatest piece of malware / ransom ware in History, as of this morning MalwareBytes the program has stopped working with the "Web Protection" and "Scan" abilities dysfunctional.  They need to escalate this "...updates malfunctioning..." as high as possible since they advertise "MalwareBytes" as a "Complete Protection" for Windows PCs.

[exile360]

Our most proactive protection components use no databases/signatures and remained functional throughout this incident.  Our Exploit protection was actually the first component to stop the WanaCrypt0r attacks because it, like most ransomware (and most modern malware in general these days) uses/used exploits to attempt to download and execute the ransomware payload.  Our Exploit protection stopped it in its tracks before it even had the chance to try to download any malware onto our customers' systems because the exploit is the first phase in the attack chain.

[ipkpjersi]

On 5/15/2017 at 0:03 AM, Utomo said:

is there any ways to track the wannacry author ? as so many country get hit 

I wouldn't count on it, these guys are usually pretty good at staying hidden.

[David-B]

On 6/3/2017 at 5:22 PM, ipkpjersi said:

I wouldn't count on it, these guys are usually pretty good at staying hidden.

I thought it had been determined that whoever wrote WanaCrypt0r was an amateur, relatively speaking.