WannaCry Factsheet (continuously updated) and Patches for Legacy Windows

catsay · May 13, 2017, 11:11am

This was a "cyber attack" like driving through a minefield is a "suicide bomb."

MS has issued emergency patches for unsupported versions of Windows.

Mitigations for WannaCry

Apply patches for MS17-010 (ETERNALBLUE and DOUBLEPULSAR)
Create a named mutex “MsWinZonesCacheCounterMutexA” (ref:https://twitter.com/gN3mes1s/status/863149075159543808)
Filter all SMB (TCP/445), NetBIOS (TCP/139), and RDP (TCP/3389)

Get your patch here if you need it.

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

MS Security Bulletin Details

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Covers:

Windows Server 2003 -> 2008
Windows XP -> Windows 8
Windows POSReady and WES09

If you have been affected

As of right now there is no way to decrypt your data and the perpetrators are apparently not able to hand out encryption keys even if you pay the ransom due to them not being able to track 'users' as it were and are unable to link keys to specific infection instances.

You will have to restore from backups.

Updated Wiki Gist

You can keep up with the latest developments covering WanaCrypt0r on this wiki gist now.
It's being updated as more developments come in. It's currently still just a fraction of what we expect to see.

gist.github.com

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Wannacrypt0r-FACTSHEET.md

# WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm 

* **Virus Name**: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
* **Vector**: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
* **Ransom**: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
* **Backdooring**: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
* **Kill switch**: If the website `www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied ([source](https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/)).

*update*: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates.

This file has been truncated. show original

Well written summary on WannaCrypt0r by Troy Hunt

Index of public servers affected by WCRY (as of yet ~11'200 results) some are just tips on how to google for affected servers

https://www.google.com/search?q=intitle%3A%E2%80%9CIndex+of%22+%22%2F+.WNCRY%E2%80%9D

Thinking_Emoji · May 13, 2017, 11:20am

I read Kaspersky are currently working on a decryption tool, nothing about when it will be ready though.

catsay · May 13, 2017, 11:22am

Nothing solid so far, I'm not in contact with the Kaspersky guys.

mihawk90 · May 13, 2017, 12:11pm

Good thing IT security is on the top of the list of every company everywhere I guess

catsay · May 13, 2017, 1:39pm

Updated with Troy Hunt article.

BookrV · May 13, 2017, 1:59pm

deleted because of rant that doesnt need to be here.

catsay · May 13, 2017, 2:45pm

"The Russian interior ministry says about 1,000 computers have been affected."

catsay · May 13, 2017, 4:39pm

Update:

Added google dork search for index of infected servers.
No reports yet of anyone receiving the decryption key and successfully decrypting their files following ransom payment.
- Strongly suspect the keys are simply thrown away. Only the master private key if recovered may be helpful in recovering the encrypted files.

FaunCB · May 13, 2017, 5:23pm

So everyone is losing their shit on this one now?
-sigh-

catsay · May 13, 2017, 6:01pm

Update:

Direct Links to Patches since windows update catalog was struggling with load.

Windows Server 2003 SP2 x64
Windows Server 2003 SP2 x86
Windows XP SP2 x64
Windows XP SP3 x86
Windows XP Embedded SP3 x86
Windows Vista
Windows Vista x64
Windows 8 x86
Windows 8 x64

catsay · May 13, 2017, 6:02pm

Loosing their shit in terms of 'going nuts' or data?
Because it's both.

But me personally, I'm just enjoying my saturday evening.
Might play some KSP later.

Th3Z0ne · May 13, 2017, 6:32pm

Ok - I am asking, before reading all the information floating around, but does this malware connect to SMB? Why on earh is a) smb on the internet and b) soooo much of it.

Even a stupid soho router would stop that right? - I mean my external logs are full with declined requests to

catsay · May 13, 2017, 6:39pm

SMB 1 yes

A lot of the spread is due to VPN connected shares and vulnerable servers that bridge networks.
Some of the initial attack also proceeded via standard malware delivery vectors (email,etc) but those details are less well researched.

Here's the diagram of the worm + malware so far.

jak_ub · May 13, 2017, 7:22pm

OK, I need to ask, curiosity malware in my brain instructs me to do so: what is exact status of the Windows 7?
I do not see patch for it on the list, and on some lists of affected Windows it is absent. Was it simply patched already?

catsay · May 13, 2017, 7:24pm

It was technically patched in March Already

Patches can be found here:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Windows 7 SP1

DrunkByDefault · May 13, 2017, 7:35pm

CRINGE WARNING

5:16 is where the cancer begins
9:46 JUST FUCKING INSTALL GENTOO YOU INANE WEASELS

always funny to see what the media thinks especially RT. (since they were blamed in the intelegence report).

catsay · May 13, 2017, 7:44pm

Jayzus. RT is incompetent.
Around 5:16 is where I couldn't hold in the laughter anymore
The Ransomware built by the NSA - FML

Ok the CNN video too, so much Cringe.

DrunkByDefault · May 13, 2017, 7:50pm

holy fuck those fucking stock photos cringe cringe cringe cringe 00010101PASSWORD010101101 cringe cringe cringe cringecringe cringe cringe cringe

00010101PASSWORD010101101

cringe

Th3Z0ne · May 13, 2017, 7:53pm

Why, oh why -.- that is so Blaster or was it Conficker? some of the old ones .. was likethy is that reachable from the internet too ^^