Incidents

WannaCry ransomware used in widespread attacks all over the world

Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

Source: https://support.kaspersky.com/shadowbrokers

A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.

It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.

CCN-CERT alert (in Spanish)

Analysis of the attack

Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

Geographical target distribution according to our telemetry for the first few hours of the attack

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

The tool was designed to address users of multiple countries, with translated messages in different languages.

Language list that the malware supports

Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.

An image used to replace user’s wallpaper

Malware samples contain no reference to any specific culture or codepage other than universal English and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:

Properties of malware files used by WannaCry

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info:

One of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

One of the attacker wallets received 0.88 BTC during the last hours

Another Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC
1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network:

A list of dropped files related to Tor service

In terms of targeted files, the ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

The example of a “user manual” in English:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don’t pay in 7 days, you won’t be able to recover your files forever.
We will have free events for users who are so poor that they couldn’t pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am – 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

Contact
If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).

Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let’s start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Next, please find an application file named “@WanaDecryptor@.exe”. It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don’t worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on the decryptor window.

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

  • attrib +h .
  • icacls . /grant Everyone:F /T /C /Q
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • @WanaDecryptor@.exe fi
  • 300921484251324.bat
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe

The malware checks the mutexes “Global\MsWinZonesCacheCounterMutexA” and “Global\MsWinZonesCacheCounterMutexA0” (Update: Thanks Didier Stevens for the correction on the extra mutex name!) to determine if a system is already infected. It also runs the command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

This results in an UAC popup that user may notice.

UAC popup to disable Volume Shadow Service (System Restore)

The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion

Mitigation and detection information

Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk.

System Watcher blocking the WannaCry attacks

Mitigation recommendations:

  1. Make sure that all hosts are running and have enabled endpoint security solutions.
  2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
  3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
  4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.

Samples observed in attacks so far:

4fef5e34143e646dbf9907c4374276f5
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240

Kaspersky Lab detection names:

Trojan-Ransom.Win32.Gen.djd
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
PDM:Trojan.Win32.Generic

Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We will provide an update when a tool is available.

Appendix

Batch file

@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")>> m.vbs

echo om.TargetPath = “C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe”>> m.vbs

echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0

m.vbs

SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")
om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe"
om.Save

WannaCry ransomware used in widespread attacks all over the world

Your email address will not be published. Required fields are marked *

 

  1. c0den

    You may have an error throughout this entry. You call out SMBv2 however based on MS17-010 and what I have read about wannacry, it is SMBv1 that is being used for lateral movement.

    1. thesaint

      exactly i have the same worry kaspersky and symantec said its smb v2 and they refer to MS17-010 which only mention SMB v1 ??!!!!!!!!!!!!!!!!!!

    2. Gary Mclean

      I had same thoughts. Plus Microsoft have released a patch for xp and server 2003 which ONLY supports SMBv1

  2. Leonard

    Most infected computers are in Russia and it’s a sign that WannaCry is a planned cyber-attack against Russian organizations and institutions, including Ministry of Internal Affairs of Russia and Investigative Committee of Russia as it’s sai there https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world/ . Russian hackers never attacked computers inside their country with ransomware in order to avoid further problems with police and FSB

  3. mullar

    Useful

  4. Fernando

    Hello guys,

    Kaspersky Security 10 for Windows Server (10.0.0.486) with Anti-Cryptor running will be block this attempt to encrypt?

    Best regards,

    Fernando.

    1. DK

      KSWS (Kaspersky Security for Windows Servers) will monitor file shares on the server it is installed on using the Anti-Cryptor component if it is enabled. Should it detect an encryption algorithm being performed on contents of a file share by another endpoint, it will sever the network connection to that endpoint for an hour.

  5. A Another

    You guys are doing great.

    I hope you manage do create a decryption device and take the opportunity to give it away free.

    Good luck guys

  6. Mn90

    Hi,
    Is it correct attack over SMBv2? The MS17-010 official description talks about SMBv1

    This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

    1. E K

      It’s correct.

      1. Richard Bartlett

        You’ll need to provide a bit more validation than an anonymous assertion! Given that no other source in the world (other than people quoting this page) are identifying an SMB v2 flaw this has to be considered a typo someone doesn’t want to back down from.

        1. E.K.

          “The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.”
          https://securelist.com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/

          1. Robin Walker

            Windows XP does not support SMBv2: it supports only SMBv1. So, if Windows XP machines were infected by EternalBlue (which appears to be the case) there must be an infection route that employs SMBv1 alone, without the help of SMBv2.

  7. Brian N

    Phew, good thing I have Kaspersky installed 🙂

  8. Khaled Ahmad

    Thanks

  9. KenWhelp

    Surely the people at fault here are those that did not install the March Windows update?
    We are now nearly halfway through May.
    I can’t think of any excuse not to keep updated with security vulnerability patches!
    Keep up the good work, guys!

  10. Narcísio Jose Mula

    Thank you

  11. Arnaud

    Does KIS 2017 protects against Wanna Cry virus ?

    1. Mark

      Enable System Watcher tool if its not and Also INSTALL THE PATCH

    2. B.ChinasubbaRao

      yes, I am used Kaspersky internet security-2017 past 4 years. it is everthing ok. well protected my computer.

  12. Anil Murlidhar Jangam

    Please do create a decryption device as early as possible and take the opportunity to give it away free.

    Thanking You.

    1. DK

      To decrypt files changed by ransomware is not an easy task. It usually requires access to the encryption key. Whether someones shares this key, they find it during analysis, or just due to sloppy programming from the ransomwares author.
      Either way, if a key is found, Kaspersky Lab makes decryption tools and they are all free. You can find existing ones on the website nomoreransom.org

  13. SUN

    I am a Kaspersky user. Do I get protected even I didn’t update the Windows patch? I tried to update but it kept saying ‘searching for updates on this computer’ for more than half an hour.

    1. Mark

      Kaspersky will do what it can do… however this doesn’t guarantee that the attackers are not going to release another modification of the same. Install the Microsoft patch as advised to be safe.

    2. Mike

      You have to make sure that you get this update on your machine from Windows.

      Please don’t rely on Kaspersky, the virus could slip though in a second, or when you open up an attachment you shouldn’t.

  14. cookie munster

    NO antivirus alone can protect against all virus’s.

    Microsoft Patch (will be slow to download:)
    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

    Make sure you have offline backups and/or cloud
    have separate administrator account, use standard user day to day otherwise your whole system can be toast

  15. DK

    Regarding protection from this malware using Kaspersky Lab solutions. Yes, you are protected. On top of this, this malware normally gains access to a computer via the user opening an attachment in a spam email. If you don’t know the sender, don’t open the attachment. Even if you know the sender, if you aren’t expecting a file, don’t open it.
    The other way it can infect your machine is if you are unpatched and someone else using the same network opens the email. Say a family member for example.
    Keep persisting with Windows Updates, they can take a while, but should work eventually.
    If your windows updates were applied and you had up to date Kaspersky Lab software, you had nothing at all to worry about.

  16. Lovshak

    I’m a die-hard Win XP SP3 user (there’s a lot of us out there). Needless to say, Microsoft has long ago abandoned us and refuses to patch Win XP.

    I count on KIS 2017; I keep it up-to-date, and ‘Settings’ clearly shows “System Watcher” enabled.

    Am I “WannaCry” safe? Is there anything else I should do (short of replacing my PC and it’s vintage OS)?

    1. Xx

      MS did patch for XP

      1. Lovshak

        Xx, thanks for your reply, but I see no evidence to support your claim “MS did patch for XP”.

        If you examine the official patch (MS17-010) from Microsoft https://technet.microsoft.com/en-us/library/security/ms17-010.aspx and it’s linked Microsoft Knowledge Base Article 4013389 https://support.microsoft.com/kb/4013389 , you will see the oldest supported OS for this patch is Windows Vista SP2.

        The Microsoft Support Lifecycle http://go.microsoft.com/fwlink/?LinkId=21742 when searched for my OS (Win XP SP3), shows the “Extended Support End Date” was 4/8/2014 — more than 3 years ago. Can you clarify your post, Xx?

    2. Sam

      I’m also a XP fan, but have not updated Kaspersky to the latest version for fear of it slowing down my machine, I think I have 2016 running still!!

  17. David Goebel

    EternalBlue is SMBv1 only.

    I’ve seen the code for both the bug and the fix.

  18. Guud

    I am a die harder guy with win95, not connected to internet. No AV whatsoever. I feel so safe…

  19. Patrick

    I am a Linux user, but have also a family Windows laptop with KIS up-to-date, sharing files with a NAS, am I “WannaCry” safe?
    thanks

  20. Vi Trieu Huynh

    THanks for the update! Really!

  21. pvirravi1116

    It’s true!! This Ransomware Attacks widespread all over the world. It’s provide here really good informative and helpful information!!

  22. William

    At https://en.wikipedia.org/wiki/File_talk:Wana_Decrypt0r_screenshot.png there is a discussion as to whether or not the screenshot is copyrightable. In the Wikipedia article it has been deliberately reduced in resolution because of “fair use rationale.”

    Since the content was created by a criminal, is it even copyrightable, and if so could the owner even attempt legal action without getting arrested and convicted right on the spot?

  23. Cnditions Apply

    Thnk you !

  24. taklamakan

    great

  25. Ciara Hiatt

    There is no single solution-but heaps of options like I stated in the start, there’s no hard and fast manual that claims to the purpose solutions to all your problems. Today in the event that you pose a particular problem to some panel of experts, you’re certain to find many distinct opinions and options in return. This will prove to be confusing.

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox