WannaCryptor 2.0 Ransomware
A new ransomware variant, WannaCryptor 2.0, has spread rapidly to many countries (including UK, Spain, Russia, Vietnam and Germany) in the course of hours today. WannaCryptor 2.0 is utilizing MS17-010, or ETERNALBLUE, a vulnerability disclosed by the Shadow Brokers to distribute this strain of ransomware. ETERNALBLUE uses Windows SMB remote code execution (CVE-2017-0143 through CVE-2017-0148).
Additional information can be found at:
http://go.masergy.com/e/152291/ing-targets-all-over-the-world/j8rvp4/181434293
http://go.masergy.com/e/152291/andling-ransomware-infections-/j8rvp6/181434293
http://go.masergy.com/e/152291/library-security-ms17-010-aspx/j8rvp8/181434293
http://go.masergy.com/e/152291/en-us-help-4013389-title/j8rvpb/181434293
Recommendations:
Immediately ensure systems are patched against MS17-010.
Ensure TCP ports 139, 445, 22, 23, 3389 and UDP 137 and 138 are not accessible from the Internet.
Ensure proper backup procedures to protect against data loss.
Disable SMBv1 for those running Windows Vista and later.
Secure RDP under VPN.
Workarounds:
Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later.
For client operating systems:
Open Control Panel, click Programs, and then click Turn Windows features on or off.
In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
Restart the system.
For server operating systems:
Open Server Manager and then click the Manage menu and select Remove Roles and Features.
In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
Restart the system.
Vulnerable Versions:
Windows Server 2008 R2
Windows 8.1
Windows Server 2016
Windows Server 2012 and Windows Server 2012 R2
Windows 7
WIndows 10
Windows Vista
Windows RT 8.1
Patches:
Microsoft released patches for MS17-010 on March 14, 2017.
http://go.masergy.com/e/152291/library-security-ms17-010-aspx/j8rvp8/181434293
Indicators of Compromise:
FileHash-SHA256 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd | |
FileHash-SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa | |
FileHash-SHA256 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa | |
FileHash-SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c | |
FileHash-SHA256 f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85 | |
hostname – www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | |
FileHash-MD5 509c41ec97bb81b0567b059aa2f50fe8 | |
FileHash-MD5 7bf2b57f2a205768755c07f238fb32cc | |
FileHash-MD5 7f7ccaa16fb15eb1c7399d422f8363e8 | |
FileHash-MD5 84c82835a5d21bbcf75a61706d8ab549 | |
FileHash-MD5 db349b97c37d22f5ea1d1841e3c89eb4 | |
FileHash-MD5 f107a717f76f4f910ae9cb4dc5290594 | |
FileHash-SHA1 51e4307093f8ca8854359c0ac882ddca427a813c | |
FileHash-SHA1 87420a2791d18dad3f18be436045280a4cc16fc4 | |
FileHash-SHA1 e889544aff85ffaf8b0d0da705105dee7c97fe26 | |
FilePath C:\WINDOWS\tasksche.exe | |
FilePath C:\Windows\mssecsvc.exe | |
FileHash-SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 | |
FileHash-SHA1 bd44d0ab543bf814d93b719c24e90d8dd7111234 | |
BTC-Address 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 |
Alert detection:
The Masergy Threat Intelligence Team has deployed the following alerts to detect the exploitation of this vulnerability:
EXP:ETERNALBLUE
Possible ETERNALBLUE exploit attempt which exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. This vulnerability was patched by Microsoft in the MS17-010 update.
EXP:ETERNALBLUE-ECHO1
SMB echo request indicating possible exploit attempt for the ETERNALBLUE exploit.
EXP:ETERNALBLUE-ECHO2
SMB echo response indicating possible exploit usage of the ETERNALBLUE exploit. The ETERNALBLUE exploit was patched by Microsoft in MS17-010.
BD:WANNACRY-PMT
Detected the generation of a QR code containing a Bitcoin address. The BTCFrog service has been used by the WannaCry/WannaCrypt0r ransomware to provide payment instructions to infected users.