WannaCrypt (also known as WannaCry) started propagating on May 12, 2017 07:44 UTC, installing ransomware on computers affected by CVE-2017-0145, a vulnerability present in version 1 of the Microsoft Server Message Block implementation ( SMBv1). In the first 48 hours of the campaign, WannaCrypt affected nearly 100,000 machines, the majority (85%) were consumer systems in Taiwan, Russia and the United States. This threat mainly affected machines running older versions of Windows such as Windows 7 and Windows Server 2008.

Machines infected with WannaCrypt can become useless. Microsoft recommends restoring these machines from backups rather than purchasing encryption keys from attackers.

To remain protected, customers must apply the security updates described in Microsoft Security Bulletin MS17-010. Windows XP, Windows Server 2003 and Windows 8 customers can apply an out-of-band update described in KB4012598. Activating Windows Defender Antivirus with cloud-delivered protection and automatic updates should prevent infection.

NOTE: The mitigation recommendation and status information provided with this entry covers vulnerabilities found in Windows only.

WannaCrypt was already active before the May 2017 campaign. In the early attacks, the ZINC activities group gained access to the victim machines through unknown methods, installed a backdoor and used the backdoor to dispose of WannaCrypt. However, at 07:44 UTC on May 12, 2017, a new version of WannaCrypt began propagating over local area networks and the Internet, exploiting a vulnerability (CVE-2017-0145) in version 1 of Microsoft's Server Message Block. implementation (SMBv1).

After a successful exploit, the WannaCrypt worm component installs a copy of itself on the remote host under the path C:\WINDOWS\mssecsvc.exe. While this new instance continues to find and exploit victims, it installs a copy of the WannaCrypt ransomware component, in the path C:\WINDOWS\tasksche.exe. To maintain persistence, the worm component sets autorun registry keys for the worm and ransomware components and registers both as services.

WannaCrypt's ransomware component searches for lettered disk drives, such as network shares and removable storage devices, and uses a native Windows utility known as ICACLS to gain access to all files on all discovered drives. It then searches for all files whose names contain a list of encoded extensions (such as .ppt, .docx, and .jpg) and encrypts them. After that, the malware deletes volume shadow copies and backups using Windows native tools Vssadmin, WMIC, BCDEdit and WBAdmin using the following command:

Cmd /c vssadmin delete shadows /all /quiet
& wmic shadowcopy delete & bcdedit /set
{default} bootstatuspolicy ignoreallfailures
& bcdedit /set {default} recoveryenabled no
& wbadmin delete catalog -quiet

WannaCrypt ransomware also installs a set of "support" files, including copies of the ransom note in multiple languages, a bitmap image that replaces the desktop background to provide instructions to the user, and the Tor routing application for allow anonymous communication between victim and attacker. Finally, it displays a ransom note.

At this point, it is quite difficult for users to recover their files without paying the ransom.

During the early stages of the infection, some variants of WannaCrypt tried to connect to remote sites:

• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
• ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
• ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
• iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com

These domains were not command and control, but acted as kill switches." If WannaCrypt hits a domain that has been registered, it automatically stops more infections. This behavior was discovered when a security researcher registered the domains to track the spread of malware. ; subsequent domains were also drilled.

The spread of the outbreak was further contained when Microsoft released out-of-band patches for CVE-2017-0145 for Windows XP and Windows Server 2003, allowing users of these outdated operating systems to protect themselves from WannaCrypt. However, later versions of WannaCrypt do not feature "kill switch" functionality, and many users still fail to apply patches to CVE-2017-0145, resulting in thousands of WannaCrypt encounters being reported each month.

Impact
The WannaCrypt campaign was not targeted at any specific customer demographic, but randomly targeted computers in the IPv4 address space. Any target computer that was using version 1 of the Microsoft Server Message Block (SMBv1) implementation and was exposed to the Internet could have been infected. This demographic consisted primarily of users of older versions of Windows, in particular Windows 7 (82%) and Windows Server 2008 (18%).

Computers infected by WannaCrypt became launching pads for subsequent attacks against external IP addresses and vulnerable computers within the same organization. When WannaCrypt encrypts files, infected computers were useless, though operational enough that victims could learn and pay the ransom. The exact impact of WannaCrypt varied from organization to organization, but in extreme cases it resulted in severe degradation to critical processes. For example, medical organizations could not process new patients; other companies were unable to process orders.

Distribution of WannaCrypt encounters

Mitigations
Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the implementation status of monitored mitigations.

• Use the hardware-based isolation provided by Windows Defender System Guard and exploit the protection features in Windows 10. These features provide strategic mitigation of EternalBlue's exploit techniques.
• To address the vulnerabilities exploited by EternalBlue, install the security updates provided with Microsoft Security Bulletin MS17-010, published March 14, 2017. Microsoft Security Bulletin MS17-010 is available for unsupported versions of Windows (including Windows XP, Windows Server 2003, and Windows 8) in an out-of-band patch, KB4012598, released May 13, 2017.
• Use Windows Defender Firewall, intrusion prevention devices, and the network firewall to prevent SMB communication whenever possible.

 More than a year after the WannaCrypt ransomware (aka "WannaCry") ransomware broke out and affected thousands of computers with the help of the EternalBlue exploit, we are still seeing all sorts of attack activities taking advantage of this exploit. In addition to actual WannaCrypt encounters, many sensors are reporting targeted attacks designed to deploy backdoors as well as commodity attacks, most of which are now distributing coin miners.

Several machines running Windows Server 2016 are reporting activity possibly linked to a known attack by starting by exploiting CVE-2017-10271, a vulnerability affecting Oracle Weblogic Server. The attack then uses PowerShell scripts to download the coin miner, before distributing the components laterally using EternalBlue. We found obvious indicators using EternalBlue that could be part of this attack. We are also seeing multiple connections from the same affected machines to IP addresses in China, Russia and Microsoft IP addresses on SMB ports 445 and 139.

In short:

• Attackers continue to use the EternalBlue exploit affecting multiple SMBv1 vulnerabilities (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148).
• Commodity attacks using the EternalBlue exploit are taking down coin miners.
• Other attacks appear to be targeted and designed to deploy backdoors.
• Some attacks arrive by exploiting CVE-2017-10271, a vulnerability that affects Oracle Weblogic Server. EternalBlue is then used to move sideways.

NOTE: The mitigation status and recommendation information provided with this entry covers vulnerabilities found in Windows only.

Mitigations

• Use hardware-based isolation and exploit the protection features of Windows 10. These features provide strategic mitigation of EternalBlue's exploit techniques.
• To address the vulnerabilities exploited by EternalBlue, install the security updates provided with Microsoft Security Bulletin MS17-010, published March 14, 2017. Microsoft Security Bulletin MS17-010 is available for unsupported versions of Windows (including Windows XP, Windows Server 2003, and Windows 8) in an out-of-band patch KB4012598, shipped May 13, 2017.
• Use Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent SMB communication whenever possible.