Know How...

May 18th 2017

Know How... 312

Networking 102: WannaCry Ransomware

We play with the new ransomware exploit hitting the web called "WannaCry".
New episodes every Monday at 6:00pm Eastern / 3:00pm Pacific / 22:00 UTC and Thursday at 2:00pm Eastern / 11:00am Pacific / 18:00 UTC.
Category: Help & How To

We take a look at how the ransomware WannaCry works and how, along with how not to get infected and what to do if you are. 

WannaCry

Infection
* Used the NSA-developed "Eternal Blue" that was released by the shadow brokers
* Initial infection was via emailed link or attachment
* Once Infected
1. Checks a domain to see if it responds (kill-switch)
2. Exploits an SMB vulnerability to move laterally
3. Installs the "DoublePulsar" Backdoor (which stays even if ransom is paid for decrypt)
4. Demands $300-$600 in bitcoin
* We have to wait for numbers, but anecdotally it seems that XP is taking the brunt of the attack

First Impact
* > 400,000 computers infected so far
* > 200 countries (Across Europe, Asia, some of the Americas)
* Shut down manufacturing at Renault in France and Romania
* Shut down Nissan in England
* Also affected health services in Brittian and required patients to be redirected

Mitigation
* Didn't hit the US as much b/c by the time the attack had turned, filters were attuned to the Phishing attack
* A British researcher, "@MalwareTechBlog" on Twitter,  noticed that the malware was trying ot connect to a domain. He registered it and it mitigated the attacks.
- We know he's a 22-year old from south-west England who works for LA-based threat-intelligence company, "Kryptos Logic"

Second Impact
* Researchers are confirming that there is a second revision of WannaCry in circulation that removed the kill-switch check
* There have been MILLIONS of office computers left attended over the weekend, many probably left on.
- There WAS a rise in infections, but not the MASSIVE infection some were worried about

Second Mitigation
* Non-tech media (and even CNET/CBS) are speaking of this attack as if it is over. VERY not the case
* The second version does NOT check for the kill-switch site
* Steps to take:
1. Backup
2. No clicking, no attachments
3. If you are in a high-risk network, disconnect, d/l the patches from a secured machine, run offline, reconnect
4. If you have the tools, look for probing SMB attacks

Notes
* MS released a patch for this in March 2017
** They ALSO released a patch for XP and Sever 2003, even though those are no longer in use.

What to watch for LLMNR
* Local-Link Multicast Name Resolution
* This is a Windows protocol that provides name resolution for hosts on the same local link

Connect with us!

Thanks to CacheFly for the bandwidth for this show.