WannaCry Ransomware Attack Uses NSA 0-Day Exploits To Go On Worldwide Rampage


NHS Ransomware Attack

This screenshot is just one example: The IT systems of around 40 National Health System hospitals across the UK were affected by this ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the infection. Cybersecurity experts have long used the phrase "where bits and bytes meet flesh and blood," which signifies a cyberattack in which someone is physically harmed.

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack "the biggest ransomware outbreak in history."  This is a cyber pandemic caused by a ransomware weapon of mass destruction. In the Jan 3 issue of CyberheistNews, we predicted that 2017 would be the year where we'd see a ransomworm like this. Unfortunately, it's here.  

The First Thing To Do: Email Your Users

I suggest you send the following to your employees, friends, and family. Feel free to copy, paste, and/or edit:

You may have seen the news this weekend. Criminal hackers have released a new strain of ransomware that spreads itself automatically across all workstations in a network, causing a global epidemic. If you or a co-worker are not paying attention and accidentally open one of these phishing email attachments, you might infect not only your own workstation, but immediately everyone else's computer too. 


Be very careful when you get an email with an attachment you did not ask for. If there is a .zip file in the attachment, do not click on it but delete the whole email. Remember: "When in doubt, throw it out!"


Optional if you use the free KnowBe4 Phish Alert Button: When you see a suspicious email, click on the Phish Alert Button, which forwards this email to the IT team and safely deletes it at the same time.

Banks, Trains and Automobiles

Hundreds of thousands of machines are infected worldwide, including FedEx Corp, Renault, Nissan, the German Railways, Russian banks, gas stations in China, and Spanish telecommunications firm Telefonica (which reported 85% of their systems being down as a result of the cyberattack), and in a case of poetic justice, Russia seems to have been hit the hardest up to now. The source is Kaspersky's Securelist, note that this is just the early days, and their visibility is likely limited. 

WannaCry Ransomware Country Distribution

The strain is called "Wana Decrypt0r" which asks $300 from victims to decrypt their computers. This monster has infected hundreds of thousands of systems in more than 150 countries. Monday morning when people get back to work, these numbers will only go up. Check out an early animated map created by the NYTimes.

Here is an infection map based on data from MalwareTech.com:

MalwareTech WannaCrypt Ransomware Infection Map

...and the Wall Street Journal also created an InfoGraphic explaining the spread of Wana which is nice to show to management when you ask for more IT security budget to train your users - which would prevent this whole mess.

WSJ WannaCry Ransomware Infographic

Bleepingcomputer said: "Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r's operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. “Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”

Despite the fact that this strain is hyper-aggressive, the criminals behind the code do not seem to be all that sophisticated, they are using only a limited amount of static bitcoin wallets. Could even be that they are relative newbies at ransomware, and that the NSA worm-code has run amok scaring the daylight out them, afraid to be caught. 

The Ransom Deadline Is Short

The ransom starts at $300 for the first 6 hours, and you've got up to 3 days to pay before it doubles to $600. If you don't pay within a week then the ransomware threatens to delete the files altogether. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files.

The ransomware's name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it "Wana Decrypt0r," this is the name we'll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March."

Kaspersky Lab also reports that the Wana strain has numerous languages available and was designed to affect multiple countries. 

Wana Decrypt0r 2.0 Ransom Note

Sky News Technology Correspondent Tom Cheshire described the attack as "unprecedented". The ransomware is using originally NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits  which were made public earlier this year by a group calling itself the ShadowBrokers.  There are recent patches available but many have not applied them yet. 
Former U.S. intelligence contractor turned whistleblower Edward Snowden pointed the finger at the NSA, implying the agency was responsible for exploiting a weakness in Windows.  It is not clear yet how the ShadowBrokers first got their hands on the NSA tools – conspiracy theories range from a contractor leak to a Russian counter-espionage trying to hint American intelligence should back off.

The group ShadowBrokers first appeared in August, claiming it had stolen tools from the Equation Group, a legendary espionage operation rumored to be affiliated with the NSA. The Brokers announced they had the tools and offered to auction them off which did not go very far. In January, the group gave up, only to resurface in April dumping EternalBlue and other Windows hacking tools in the public domain, where criminal hackers were grateful recipients.
The Initial Infection Vector Is A Well-crafted Phishing Email - [not so fast, update further below]

According to CrowdStrike's vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through phishing, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a password protected .zip file, so the email uses social engineering to persuade the victim to unlock the attachment with a password, and once clicked that initiates the WannaCry infection. Microsoft confirms this in a blog post.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. "This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire," CrowdStrike's Meyers told Forbes. "It's going through financials, energy companies, healthcare. It's widespread."

“We encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school,” the U.S. Department of Homeland Security said in a statement released late Friday. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.” Here is a technical nosedive of the Wana malware.

If You Can, Apply This Patch Immediately.

After the initial infection, the malware spreads like a worm via SMB, that is the Server Message Block protocol used by Windows machines to communicate with file systems over a network. According to Cisco's TALOS team:

The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.

From what we have been able to learn, Wana spreads through SMB so when we're talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It'd only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the meantime, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the "MS17-010" security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails.  https://technet.microsoft.com/en-us/library/security/ms17-010.aspx 

Note, the patch is included in the Monthly Quality rollups. Spent a panicky 10 minutes when I saw the article looking for Security update 4013389 on my PC and then on our WSUS server only to discover that it is included in 4015549 - 4015551.

Redmond Issues Emergency Patch For WinXP

Microsoft has also released out-of-band patches for older versions of Windows to protect against Wana, because the original patch did not include XP/Win8.  "This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind," the company told customers in a blog post.

Besides installing these out-of-band updates — available for download from here — Microsoft also advises companies and users to outright disable the SMBv1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3.  You can use Group Policy for Clients and Servers. Here is a script to check the complete Active Directory for systems that miss the WannaCry related hotfixes. 

Here is how to remove SMBv1 on Windows 10:

Turn Off SMB

And here is how to turn if off on Windows Servers. Start with those... 

SMBV1 Win Server

Another option: Use DSC to enforce the SMBv1 removal. If you don’t have DSC in place, you can use DSC local on your servers as well. You can now download security updates for Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, and Windows 8 x64.

A Honeypot Server Got Infected With WanaCry 6 Times In 90 Minutes

As the original one, the second variant is automatically executed by “Microsoft Security Center (2.0) Service” and is trying to spread by creating SMB connections to random IP addresses, both internal and external.

According to an experiment carried out by a French security researcher that goes online by the name of Benkow. WannaCry infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims. Noteworthy: three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.

How To Detect The Presence Of Wana And SMBv1 Servers On Your Network

One of the easiest ways to monitor what is happening on your network is to setup a SPAN\Mirror port or use a network TAP. This will give you access to flows and packet payloads so you can see who is connecting to what and if there is anything suspicious moving around. Check out this blog post if you use Cisco switches, it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches. 

There is one caveat though, this infection moves out like lightning from patient zero, and all vulnerable machines are literally locked in less than two minutes so monitoring alone would not be enough to be stop this monster. Here is a video showing a machine on the left infected with MS17-010 worm, spreading WCry ransomware to machine on the right in real time.

There Are Four Things To Watch Out For When It Comes To Detecting Wana

  1. Check for SMBv1 use
  2. Check for an increase in the rate of file renames on your network
  3. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  4. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

If Your Network Has Been Infected, What To Do?

This ransomware strain cannot be decrypted with free tools. Research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that has not been found yet.

Your best bet is to recover from backups, and if your backup failed or does not exist, try a program like Shadow Explorer to see if the ransomware did not properly delete your Shadow Volume Copies. If a user did not click Yes at the UAC prompt, then there is a chance those are still available to start the recovery.  Here is How to recover files and folders using Shadow Volume Copies. As a last resort and all backups have failed, you could decide to pay and get the files decrypted. It appears to work. 

UAC Prompt

What Can Be Done To Stop These Bad Guys?

It's possible but difficult. Some bitcoin has reportedly been paid into hackers' accounts and investigators can track the money and see where the bitcoin ends up. “Despite what people tend to think, it's highly traceable,” Clifford Neuman, who directs the University of Southern California's Center for Computer Systems Security, told the Washington Post.

However, hackers are still able to hide and launder the bitcoins in many different ways. Investigators will also examine the code itself as hackers often leave identifiable traces of their work. You can watch as some of these wallets are receiving money in real time. There is an international manhunt underway. 

Here Are 8 Things To Do About It (apart from having weapons-grade backups)

  1. Check your firewall configuration and make sure no criminal network traffic from port TCP/445 is allowed out, and disable SMBv1 on all machines immediately, and If possible, block 445 inbound to all internet-facing Windows systems
  2. From here on out with any ransomware infection, wipe the machine and re-image from bare metal
  3. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly
  4. Make sure your endpoints are patched religiously, OS and 3rd Party Apps
  5. Make sure your endpoints and web-gateway have next-gen, frequently updated  (a few hours or shorter) security layers
  6. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
  7. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
  8. Deploy new-school security awareness training, which includes simulated social engineering tests via multiple channels, not just email.

UPDATE [Saturday May 13, 2017, 3:57 PM EST]: It looks like the spread of the Wana Decrypt0r ransomware has been temporarily halted after security researcher MalwareTech has registered a hardcoded domain included in the ransomware's source code, which was functioning as a kill switch. Cisco Talos has confirmed the information.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” MalwareTech tweeted late on Friday. “So I can only add ‘accidentally stopped an international cyber attack’ to my résumé.” Note that this kill-switch would not prevent any unpatched PC from getting infected in the following scenarios:

  • If the users gets WannaCry via an email and opens the zip file (instead of automatically infected via SMBl).
  • If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
  • If the targeted system requires a proxy to access the Internet, (a common practice in corporate networks).
  • If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

However, this is just a temporary deterrent. For the bad guys, it's just one line of code to fix this and the infection process starts again. You can hope that your endpoint protection blocks it, but do not count on that. The way to prevent this infection is the 8 steps above, and of course it helps to have your users trained within an inch of their lives to spot phishing red flags.

UPDATE [Sunday May 14, 2017, 2:25 PM EST]

WannaCry 2.0Round Two: WannaCry Is back.  As expected, that was only a temporary fix. Over Friday and Saturday, samples of the malware emerged without the kill switch, meaning that attackers have resumed their campaign even though the MalwareTech security researcher accidentally cut off the original wave.

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Labs. However, there seems to be some controversy if the new version uses the NSA worm or not. I say better be safe than sorry, because there will be copycats.

UPDATE [Monday May 15, 6:54 AM EST]

This attack has hit the press internationally. China states more than a million machines were affected. Pundits are now pointing at Microsoft's code,  who in turn point at the NSA for allowing this out of the bottle. Of course Snowden blames the NSA as well. And then there is victim blaming, because auto-updates were turned off which would have fixed this 2 months ago. Enough blame to go around for everyone. Ultimately this is a shared responsibility, but IT people are carrying the heavy load here and often do not get enough budget to get the job done right. 

Predictions are the infection is going to get worse, because now machines will be turned on that aren't patched, like MRI machines in hospitals and other medical devices that still run XP and have not been patched. 

UPDATE [Tuesday May 16, 5:49 AM EST]  Was It The Norks?

A North Korean hacking group is suspected to be behind WannaCry. Symantec and Kaspersky labs are investigating technical evidence that possibly suggests the North’s involvement, according to Reuters. The companies claim to have found some code in an earlier version of the WCry ransomware that had also been used in programs deployed by the Lazarus Group, which is reportedly run by the Hermit Kingdom.

As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants.  Also, the SANS Storm Centre came out with a good analysis and mitigation suggestions. 

UPDATE [Tuesday May 16, 5:30 PM EST]  Port 445

Despite earlier confirmations from several sources , it looks that phishing is not the primary infection vector. Cybersecurity experts currently have two main hypotheses, both of which involve port 445, which normally isn’t supposed to be listening on the internet.

Rob Holmes, a vice president of products at Proofpoint, a Silicon Valley company with virus sensors at major corporations and telecom companies, said 95% of ransomware attacks use the relatively unsophisticated technique of phishing. In a report published Monday, a European Union cybersecurity agency said early indications pointed to emails containing WannaCry-infected Microsoft Office documents as the attacker’s weapon. But it quickly amended the report, saying phishing probably wasn’t involved. 

An employee could have taken a business laptop to a coffee shop or hotel and logged onto their insecure Wi-FI without using a VPN and a hacker could have slipped WannaCry onto the device. When the employee brought the laptop back to the office and connected it to the network, WannaCry would get inside the network, spreading itself via port 445.

UPDATE [Thu May 18, 6:54 AM EST]  It's a ransomware worm that did not arrive on a phishing hook.

Sophos used that headline to say that despite early reports, they determined that this probably didn’t start the way a typical ransomware attack does, as a phishing email carrying a malicious attachment. More important, it also appears the first infections were in south-east Asia which points to North Korea as a possible culprit. 

Researchers assumed early on that the outbreak began with an email link or attachment, but SophosLabs VP Simon Reed said this looks like a worm from start to finish:

There were no outlook.exe files anywhere, nothing but a compromised Windows SMB driver as the starting point. So far, we haven’t found anything but evidence of a network worm.

In other words, this outbreak was a throwback to those of the early 2000s. Only this time, instead of mere noise and network downtime, a much more damaging payload of ransomware ground many organizations to a halt.

UPDATE [Fri May 19, 6:54 AM EST] North Korea + NSA exploits = infected hospitals?

As expected, The WannaCry ransomware attack that took out the United Kingdom healthcare service also hit at least two Bayer medical devices in the U.S., Forbes reports. An image received by the business magazine shows the now-familiar WannaCry ransom message obscuring the display of a Bayer radiology system.

The worst of the pandemic is over, and the consensus is that the ransomware has been a considerable nuisance, but not a catastrophe. Meanwhile, back at the ranch, another piece of malware is also using the same NSA exploits for an even bigger monero mining operation

UPDATE: Roundup After One Week:

The Register has a good write-up, so I will not repeat what they said, and just give you the link.  And get ready for the next one: UIWIX, the Fileless Ransomware that leverages NSA EternalBlue Exploit to spread.  Meanwhile, WannaCry's criminal creators (who else?) are trying to bring it back from the dead, by creating a botnet to DDoS the kill switch

How vulnerable is your network against ransomware infections? 

Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks? 

KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 ransomware infection scenarios and show you if a workstation is vulnerable to infection. 

Here's how RanSim works:

checkmark 100% harmless simulation of a real ransomware infection

checkmark Does not use any of your own files

checkmark Tests 10 types of infection scenarios

checkmark Just download the install and run it 

checkmark Results in a few minutes!


Download RanSim Here: 


NOTE: Created for Windows-based workstations running Windows 7+. RanSim does not alter any existing files on disk.  As part of the simulation RanSim does enumerate all files on the local disk(s). For the purposes of encryption, simulated data files are downloaded from the Internet.


Topics: Ransomware

Subscribe To Our Blog

Cybersecurity Awareness Month Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews