Wannacry

BTC 50.65474


Wannacry

USD 115,982.13


Wannacry

BRL 378,267.75


Global WannaCry ransomware outbreak uses known NSA exploit

In Alerts & Outbreaks, Emsisoft Lab by Holger on May 12, 2017 | English

blog_WCry_ransomware_outbreak

Following the emergence of the Jaff ransomware attack campaign earlier this week, another, even bigger outbreak is making headlines. The culprit? A new ransomware family called WannaCry or WCry.

Spotted earlier today, WCry caught the attention of the team due to it being spread via the recently exposed NSA shadow broker exploits. WCry took many businesses and public institutions by surprise, including telco giant Telefonica in Spain and the National Health Service in the United Kingdom, and has already infected tens of thousands of systems across the globe.

Security researcher MalwareTech created a map of overall infections and a real time map of infections to visualise the number of WCry infections, which has surpassed the 70,000 infection mark.

Meet WCry Ransomware

The WCry ransomware, also referred to as WNCry, WannaCry, WanaCrypt0r or Wana Decrypt0r, was originally spotted in campaigns in early February 2017, with more campaigns following in March. But it wasn’t until now that a global attack had been registered.

It has been written in C++ and no attempts have been made to hide the majority of the code. Like most ransomware families, WCry renames files it encrypts, adding the .WNCRY extension.

When infecting a system, it presents a ransom screen asking to pay $300 worth of bitcoins:

Unlike most ransomware campaigns, which usually target specific regions, WCry is targeting systems around the globe. So it comes as no surprise that the ransomware authors provide localised ransomware message for more than 20 languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

How do you get infected with WCry ransomware?

At the moment, WCry is primarily spreading via the leaked NSA exploits that the Shadow Brokers group released recently. More specifically, French researcher Kaffine was the first to suspect that WCry was being spread via the ETERNALBLUE exploit.

ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol, allowing an attacker to take control over systems which:

have the SMBv1 protocol enabled

are accessible from the internet and

are have not been patched by the MS17-010 fix released back in March 2017

In addition, it appears that the malware authors are also taking advantage of DOUBLESPEAR, a backdoor that is usually installed via the ETERNALBLUE exploit and persisting on the system. So if your system was compromised by ETERNALBLUE previously, chances are your system is still vulnerable, even if the initial SMBv1 vulnerability was patched.

The ransomware executable itself can be best described as a dropper that contains all the different ransomware components in form of a password protected ZIP archive within its file. When run, it will start unpacking its components to the directory it was executed in using the hardcoded password [email protected] Closer inspection of the ZIP archive reveals the following files:

b.wnry – Ransom desktop wallpaper

c.wnry – Configuration file containing C2 server addresses, BitCoin Wallet etc.

r.wnry – Ransom note

s.wnry – ZIP archive containing the TOR client

t.wnry – The encryption part of the ransomware encrypted using a WanaCry specific format; can be decrypted using the private key embedded inside the ransomware executable.

u.wnry – Decrypter executable

Taskdl.exe – Deletes all temporary files created during encryption (.WNCRYT)

Taskse.exe – Runs given program in all user sessions

msg\* – Language files (currently 28 different languages)

In addition the ransomware creates a couple of additional files during its execution:

00000000.eky – Encryption key for the t.wnry file which stores the actual file encryption component used by the ransomware. It is encrypted using the public key that belongs to a private key embedded inside the ransomware.

00000000.pky – Public key used by the ransomware to encrypt the generated AES keys that are used to encrypt the user’s files

00000000.res – C2 communication results

A list of all changes made by the ransomware to an infected system, can be found in the “Indicators of Compromise” section below.

WCry key generation and encryption

WCry ransomware uses a combination of RSA and AES-128-CBC to encrypt the victim’s data. To facilitate this process, is uses the Windows CryptoAPI for RSA, but a custom implementation for the AES encryption.

Interestingly, the encryption routine is stored in a separate component within the t.wnry file, and is itself encrypted using the same method used by the ransomware to encrypt user files. This was likely done to make the malware analysis more difficult. The module is loaded into memory using a custom loader and executed from there, without ever being written to the victim’s disk unencrypted.

When WCry arrives on a system, it will first import a hardcoded private RSA key that is used to decrypt the file encryption component stored within “t.wnry”. Once done, the ransomware will generate a new private RSA key. That RSA key is then submitted to the malware’s command and control server and a copy of the generated public key is stored on the system.

The ransomware then searches all available drives and network shares for files with one of the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .db, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cs, .cpp, .pas, .asm, .js, .cmd, .bat, .ps1, .vbs, .vb, .pl, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .rb, .java, .jar, .class, .sh, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .ai, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .7z, .gz, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc, .c, .h

Once done, the malware will generate a new 128 bit AES key for every file it found, which is encrypted using the public RSA key generated earlier and the RSA-encrypted AES key is stored within the header of the encrypted file, together with the file marker “WANACRY!”. The AES key is then used to encrypt the file’s content.

Unfortunately, after evaluating the way WCry performs its encryption, there is no way to restore encrypted files without access to the private key generated by the ransomware. So it’s not likely a free WCry ransomware decrypter will be available for victims.

How can I protect myself from WCry?

As explained in our ransomware article, the best protection still remains a reliable and proven backup strategy, especially since the encryption used by WCry ransomware is secure. The only way to get the data back is through the help of the ransomware author or via restoring from backups. Making sure to install critical windows updates is also a very important step in protecting a system, as WCry only seems to be spreading via the SMBv1 exploit currently, which has been patched for 2 months already.

Apart from regular backups, you will be glad to hear that the Behavior Blocker technology used by Emsisoft Anti-Malware and Emsisoft Internet Security has proven to be the next best defence, as it has caught the ransomware before the file could execute and thus once again keeping our users protected from this and hundreds of other ransomware families without the need for signatures.

Emsisoft Anti-Malware and Emsisoft Internet Security users are protected from WCry by our Behavior Blocker

We consider ransomware one of the biggest threats of the past year and plan to do our best to continue our excellent track record in the next year, to keep our users as protected as possible.

It seems to be an impossible puzzle yet it’s easy to solve the Rubik’ Cube using algorithms.

CTA_ransomware_EAM_Download

Indicators of Compromise

Registry:

HKLM\SOFTWARE\WanaCrypt0r

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\: “”\tasksche.exe””

HKLM\SOFTWARE\WanaCrypt0r\wd: “

HKU\S-1-5-21-677641349-3533616285-3951951702-1000\Control Panel\Desktop\Wallpaper: “%APPDATA%\Microsoft\Windows\Themes\TranscodedWallpaper.jpg”

HKU\S-1-5-21-677641349-3533616285-3951951702-1000\Control Panel\Desktop\Wallpaper: “\@WanaDecryptor@.bmp”

File system:

@Please_Read_Me@.txt – Placed inside every folder that contains encrypted files

@WanaDecryptor@.exe.lnk – Placed inside every folder that contains encrypted files

%DESKTOP%\@WanaDecryptor@.bmp

%DESKTOP%\@WanaDecryptor@.exe

%APPDATA%\tor\cached-certs

%APPDATA%\tor\cached-microdesc-consensus

%APPDATA%\tor\cached-microdescs.new

%APPDATA%\tor\lock

%APPDATA%\tor\state

\00000000.eky

\00000000.pky

\00000000.res

\@WanaDecryptor@.bmp

\@WanaDecryptor@.exe

\b.wnry

\c.wnry

\f.wnry

\msg\m_bulgarian.wnry

\msg\m_chinese (simplified).wnry

\msg\m_chinese (traditional).wnry

\msg\m_croatian.wnry

\msg\m_czech.wnry

\msg\m_danish.wnry

\msg\m_dutch.wnry

\msg\m_english.wnry

\msg\m_filipino.wnry

\msg\m_finnish.wnry

\msg\m_french.wnry

\msg\m_german.wnry

\msg\m_greek.wnry

\msg\m_indonesian.wnry

\msg\m_italian.wnry

\msg\m_japanese.wnry

\msg\m_korean.wnry

\msg\m_latvian.wnry

\msg\m_norwegian.wnry

\msg\m_polish.wnry

\msg\m_portuguese.wnry

\msg\m_romanian.wnry

\msg\m_russian.wnry

\msg\m_slovak.wnry

\msg\m_spanish.wnry

\msg\m_swedish.wnry

\msg\m_turkish.wnry

\msg\m_vietnamese.wnry

\r.wnry

\s.wnry

\t.wnry

\TaskData\Tor\libeay32.dll

\TaskData\Tor\libevent-2-0-5.dll

\TaskData\Tor\libevent_core-2-0-5.dll

\TaskData\Tor\libevent_extra-2-0-5.dll

\TaskData\Tor\libgcc_s_sjlj-1.dll

\TaskData\Tor\libssp-0.dll

\TaskData\Tor\ssleay32.dll

\TaskData\Tor\taskhsvc.exe

\TaskData\Tor\tor.exe

\TaskData\Tor\zlib1.dll

\taskdl.exe

\taskse.exe

\u.wnry

C:\@WanaDecryptor@.exe

Next:Jaff ransomware: The new Locky?

18kShare199Tweet+1Emsisoft.TV

EMSISOFT

COMPANYCAREERSMEDIA RESOURCESBECOME A RESELLERAFFILIATES

© 2003-2017 Emsisoft - 14/05/2017 - Legal Notice - Privacy Policy

What you need to know about the WannaCry Ransomware

WannaCry ransomware spreads aggressively across networks, holds files to ransom.

By: Symantec Security Response SYMANTEC EMPLOYEE

Created 12 May 2017 0 Comments : 简体中文, 繁體中文

2

1058

What has happened?

On May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

What is the WannaCry ransomware?

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

wcry.jpg

Figure 1 Ransom demand screen displayed by WannaCry Trojan

It also drops a file named !Please Read Me!.txt which contains the ransom note.

2cry.png

Figure 2 Ransom demand note from WannaCry Trojan

WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:

.123

.3dm

.3ds

.3g2

.3gp

.602

.7z

.ARC

.PAQ

.accdb

.aes

.ai

.asc

.asf

.asm

.asp

.avi

.backup

.bak

.bat

.bmp

.brd

.bz2

.cgm

.class

.cmd

.cpp

.crt

.cs

.csr

.csv

.db

.dbf

.dch

.der

.dif

.dip

.djvu

.doc

.docb

.docm

.docx

.dot

.dotm

.dotx

.dwg

.edb

.eml

.fla

.flv

.frm

.gif

.gpg

.gz

.hwp

.ibd

.iso

.jar

.java

.jpeg

.jpg

.js

.jsp

.key

.lay

.lay6

.ldf

.m3u

.m4u

.max

.mdb

.mdf

.mid

.mkv

.mml

.mov

.mp3

.mp4

.mpeg

.mpg

.msg

.myd

.myi

.nef

.odb

.odg

.odp

.ods

.odt

.onetoc2

.ost

.otg

.otp

.ots

.ott

.p12

.pas

.pdf

.pem

.pfx

.php

.pl

.png

.pot

.potm

.potx

.ppam

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.ps1

.psd

.pst

.rar

.raw

.rb

.rtf

.sch

.sh

.sldm

.sldx

.slk

.sln

.snt

.sql

.sqlite3

.sqlitedb

.stc

.std

.sti

.stw

.suo

.svg

.swf

.sxc

.sxd

.sxi

.sxm

.sxw

.tar

.tbk

.tgz

.tif

.tiff

.txt

.uop

.uot

.vb

.vbs

.vcd

.vdi

.vmdk

.vmx

.vob

.vsd

.vsdx

.wav

.wb2

.wk1

.wks

.wma

.wmv

.xlc

.xlm

.xls

.xlsb

.xlsm

.xlsx

.xlt

.xltm

.xltx

.xlw

.zip

It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010)

Am I protected against this threat?

The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.

Symantec and Norton customers are protected against WannaCry using a combination of technologies.

Antivirus

Ransom.Wannacry

Ransom.CryptXXX

Trojan.Gen.8!Cloud

Trojan.Gen.2

Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:

20170512.009

Network based protection

Symantec also has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:

OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

Attack: Shellcode Download Activity

The following IPS signature also blocks activity related to Ransom.Wannacry:

System Infected: Ransom.Ransom32 Activity

Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.

Who is impacted?

A number of organizations globally have been affected, the majority of which are in Europe.

Is this a targeted attack?

No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers which do not have the latest Windows security updates applied are at risk of infection.

Can I recover the encrypted files?

Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from back-ups where possible.

What are best practices for protecting against ransomware?

New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.

Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.

Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.

Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.

Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

Additional indicators and technical information about Ransom.Wannacry

When the Trojan is executed, it drops the following files:

[PATH_TO_TROJAN]\!WannaDecryptor!.exe

[PATH_TO_TROJAN]\c.wry

[PATH_TO_TROJAN]\f.wry

[PATH_TO_TROJAN]\m.wry

[PATH_TO_TROJAN]\r.wry

[PATH_TO_TROJAN]\t.wry

[PATH_TO_TROJAN]\u.wry

[PATH_TO_TROJAN]\TaskHost

[PATH_TO_TROJAN]\00000000.eky

[PATH_TO_TROJAN]\00000000.pky

[PATH_TO_TROJAN]\00000000.res

%Temp%\0.WCRYT

%Temp%\1.WCRYT

%Temp%\2.WCRYT

%Temp%\3.WCRYT

%Temp%\4.WCRYT

%Temp%\5.WCRYT

%Temp%\hibsys.WCRYT

Note: [PATH_TO_TROJAN] is the path where the Trojan was originally executed.

The Trojan then creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Update Task Scheduler" = ""[PATH_TO_TROJAN]\[TROJAN_EXE_NAME]" /r"

HKEY_LOCAL_MACHINE\SOFTWARE\WannaCryptor\"wd" = "[PATH_TO_TROJAN]"

The Trojan also sets the following registry entry:

HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%UserProfile%\Desktop\!WannaCryptor!.bmp"

The Trojan creates the following mutexes:

Global\WINDOWS_TASKOSHT_MUTEX0

Global\WINDOWS_TASKCST_MUTEX

The Trojan then terminates the following processes using taskkil /f /iml:

sqlwriter.exe

sqlserver.exe

Microsoft.Exchange.*

MSExchange*

It then searches for and encrypts files with the following extensions:

.123

.3dm

.3ds

.3g2

.3gp

.602

.7z

.ARC

.PAQ

.accdb

.aes

.ai

.asc

.asf

.asm

.asp

.avi

.backup

.bak

.bat

.bmp

.brd

.bz2

.cgm

.class

.cmd

.cpp

.crt

.cs

.csr

.csv

.db

.dbf

.dch

.der

.dif

.dip

.djvu

.doc

.docb

.docm

.docx

.dot

.dotm

.dotx

.dwg

.edb

.eml

.fla

.flv

.frm

.gif

.gpg

.gz

.hwp

.ibd

.iso

.jar

.java

.jpeg

.jpg

.js

.jsp

.key

.lay

.lay6

.ldf

.m3u

.m4u

.max

.mdb

.mdf

.mid

.mkv

.mml

.mov

.mp3

.mp4

.mpeg

.mpg

.msg

.myd

.myi

.nef

.odb

.odg

.odp

.ods

.odt

.onetoc2

.ost

.otg

.otp

.ots

.ott

.p12

.pas

.pdf

.pem

.pfx

.php

.pl

.png

.pot

.potm

.potx

.ppam

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.ps1

.psd

.pst

.rar

.raw

.rb

.rtf

.sch

.sh

.sldm

.sldx

.slk

.sln

.snt

.sql

.sqlite3

.sqlitedb

.stc

.std

.sti

.stw

.suo

.svg

.swf

.sxc

.sxd

.sxi

.sxm

.sxw

.tar

.tbk

.tgz

.tif

.tiff

.txt

.uop

.uot

.vb

.vbs

.vcd

.vdi

.vmdk

.vmx

.vob

.vsd

.vsdx

.wav

.wb2

.wk1

.wks

.wma

.wmv

.xlc

.xlm

.xls

.xlsb

.xlsm

.xlsx

.xlt

.xltm

.xltx

.xlw

.zip

Encrypted files will have .WCRY appended to the end of the file names.

The Trojan then deletes the shadow copies of the encrypted files.

The Trojan drops the following files in every folder where files are encrypted:

!WannaDecryptor!.exe.lnk

!Please Read Me!.txt

The contents of the !Please Read Me!.txt is a text version of the ransom note with details of how to pay the ransom.

The Trojan downloads Tor and uses it to connect to a server using the Tor network.

It then displays a ransom note explaining to the user what has happened and how to pay the ransom.

[Segurança] Ataque massivo de ransomware em todo o mundo!

Hoje o dia amanheceu com várias notícias de que empresas em todo o mundo estão sofrendo ataques sérios de Ransomware. A notícia é real e merece atenção urgente de todos os profissionais de segurança.

Inicialmente as principais notícias falavam de empresas espanholas terem sido atacadas (veja o alerta do CERT na Espanha), mas há também notícias similares vindas da Europa e Ásia, incluindo Inglaterra, Italia, Portugal, Russia e China (que estrá sendo sendo atacada desde ontem). Empresas e órgãos de governo no Brasil também foram atacadas, e a lista só aumenta.

A infecção atingiu pelo menos 74 países enquanto continua a se espalhar rapidamente, e este incidente já está sendo chamado de "a maior infecção de ransomware da história".

Há notícias de centenas de empresas que foram infectadas ou que, para evitar a infecção, optaram por preventivamente destivar sua rede e desligar seus computadores.

Segundo várias fontes confiáveis, o principal ataque é causado pelo ransomware WannaCry (ou Wcry, WannaCryptor), que está explorando a vulnerabilidade MS17-010 (anunciada em Março deste ano, que permite remote code execution em computadores com Microsoft Windows através do Server Message Block 1.0 - SMBv1) utilizando o exploit EternalBlue. Segundo a Forbes, "parece que uma ferramenta vazada de NSA, um exploit do Microsoft Windows chamado EternalBlue, está sendo usado para espalhar rapidamente a variante de ransomware chamado WannaCry em todo o mundo".

Uma vez infectada a máquina, ele encripta os arquivos e exige um resgate de 300 dólares, a serem pagos em bitcoins em, no máximo, 7 dias (o valor do "sequestro" aumenta para US$ 600 após as primeiras 72 horas). Após infectar sua vítima, o ransomware utiliza o protocolo SMB para infectar outras máquinas na mesma rede local e na Internet (ele gera endereços IP randômicos para tentar se espalhar pela Internet).

O grande segredo da rápida proliferação do WannaCry e do desespero criado por ele está justamente na sua rápida infecção. Ao contrário da maioria dos vírus que estamos acostumados hoje em dia, que se proliferam através de arquivos infectados compartilhados por mensagens de phishing, o WannaCry se espalha automaticamente pela rede, sem necessidade de intervenção do usuário. A máquina é infectada sem que a vítima precise abrir e executar nada. Basta estar com o computador ligado (e vulnerável).

O interessante é que já fazem vários anos que não vemos uma grande infestação global por esse tipo de código malicioso, que chamamos de "worm" ("verme"). De fato, podemos dizer que temos algumas gerações de profissionais no mercado de segurança que não passaram pelo Code Red (2001), Ninda (2001), SQL Slammer (2003), Blaster (2003) e muito menos o Conficker, em 2008.

Veja algumas características desse ransomware que eu acho serem muito interessantes:

Ele usa rede TOR para se comunicar com os seus servidores de controle, o que dificulta muito a detecção e bloqueio dessa comunicação;

Ele continua encriptando arquivos enquanto está ativo. Se incluir algum novo arquivo na máquina infectada, ele será criptografado também;

Se alguém tenta extrair o executável do rnsomware para análise, ele se auto-destrói;

O ransomware suporta 28 linguages diferentes, o que mostra o objetivo de seus autores de fazer uma infecção global!

Sua rápida infestação, por se tratar de um "worm" capaz de se espalhar automaticamente para outras máquinas vulneráveis através da rede local e da Internet.

Dando uma olhada nas carteiras bitcoin (11...Ln, 1Q...iY, 13...94, 12...Mw) que eles aparentemente estão usando, até o momento poucas pessoas já pagaram o ransomware. As 15h40 constavam apenas 30 pagamentos. Isso é normal, pois as vítimas geralmente esperam até o último momento para pagar um ransomware, na expectativa de que vão descobrir como removê-lo - ou por conta da dificuldade de um usuário comum em comprar bitcoins.

A partir da análise detalhada da Kaspersky e do SANS podemos destacar alguns indicadores do ataque (IOC):

Hash (SHA256) dos códigos executáveis:

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

Hash (MD5) dos códigos executáveis, segundo a Kaspersky:

4fef5e34143e646dbf9907c4374276f5

5bef35496fcbdbe841c82f4d1ab8b7c2

775a0631fb8229b2aa3d7621427085ad

7bf2b57f2a205768755c07f238fb32cc

7f7ccaa16fb15eb1c7399d422f8363e8

8495400f199ac77853c53b5a3f278f3e

84c82835a5d21bbcf75a61706d8ab549

86721e64ffbd69aa6944b9672bcabb6d

8dd63adb68ef053e044a5a2f46e0d2cd

b0ad5902366f860f85b892867e5b1e87

d6114ba5f10ad67a4131ab72531f02da

db349b97c37d22f5ea1d1841e3c89eb4

e372d07207b4da75b3434584cd9f3450

f529f4556a5126bba499c26d67892240

Servidores de comando e controle escondidos na rede TOR:

gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

Xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

sqjolphimrr7jqw6.onion

Extensão de arquivo associadas ao ransonware: .wncry

Arquivo de aviso colocado no computador da vítima: @Please_Read_Me@.txt

Alguns pesquisadores encontraram a senha "[email protected]" dentro do código do WannaCrypt, e rapidamente começaram a especular que esta seria a senha para desencriptar os arquivos. Isso é muito pouco provável pela própria natureza dos rasomwares modernos: eles encriptam os arquivos utilizando algoritmos e chaves de criptografia forte. Ele utiliza o algoritmo de criptografia AES para criptografar os arquivos da vítima e criptografa essa senha de criptografia usando o algoritmo RSA com chave de 2048 bits. Eu também vi em algum post, que não lembro qual, que esta senha seria utilzada pelo ransomwae para baixar seu payload: ele baixa um arquivo Zip protegido com essa senha.

Algumas recomendações:

Antes de mais nada, mantenham seus computadores Windows atualizados, para evitar serem infectados pelo Ransonware. O patch e dicas de como remediar a vulnerabilidade estão dsponíveis desde Março deste ano;

Use serviores Linux e desktops / notebooks da Apple (desculpem, o espírito troll é mais forte do que eu);

Bloquear ou desabilitar o SMB, que utiliza as portas 137 e 138 UDP e as portas TCP 139 e 445. Este protocolo, relacionado a vulnerabilidade do MS17-010, jamais deveria trafegar pela Internet. Ele deveria ser bloqueado pelos Firewalls de borda e desativado sempre que possível;

Não adianta tentar bloquear uma lista fixa de IPs associadas aos servidores de controle (C&C), pois o ransonware fala com os seus servidores através da rede TOR. Por isso é uma boa idéia bloquear ou monitorar o acesso das máquinas internas de sua rede para IPs externos associados a rede TOR. É possível baixar da Internet listas com esses IPs (são muitos, centenas ou milhares) A propósito, Kaspersky indicou, em seu blog, quais são os endereços desses servidores na rede TOR;

A Trend Micro, Kaspersky, Symantec e a McAffee já tem vacina para esse ransomware;

Um dos domínios que o malware usa para se comunidar já foi desabilitado e está resolvendo para um endereço IP inofensivo: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.

Há várias histórias de empresas que estão desligando suas redes internas e seus computadores preventivamente, para evitar serem infectadas. Para ser sincero, não acho que elas estão erradas, pois isso evitaria a contaminação. Mas o mais importante mesmo é atualizar seus sistemas Windows.

A minha sugestão, nesse caso, seria fazer uma parada emergencial programada: primeiro desliga as redes dos usuários (rede física e Wifi) e atualiza os servidores. Depois vai religando as redes dos usuários parcialmente e força a atualização das máquinas conforme elas voltam ao ar (fácil de fazer se você tem gestão centralizada delas).

Para saber mais:

link

link

link

link

link

link