[David Strom's Web Informant] WannaCry ransomware analysis

David Strom david at strom.com
Mon May 15 15:53:23 EDT 2017

*Web Informant, May 15, 2017: WannaCry ransomware analysis*

*The WannaCry ransomware worm that plagued many people last week* is
notable for two reasons: first, it is a worm, meaning it self-propagates.
It also uses a special exploit that was first developed by the NSA and then
stolen by hackers. It first began on Friday and quickly spread to parts of
Europe and Asia, eventually infecting more than 200k computers across more
than 100 different countries. It moved quickly, and the weekend saw many IT
managers busy to try to protect their networks. One researcher called it a
“Frankenstein’s monster of vulnerabilities.”

*Most of the victims were using outdated Windows versions such as XP.*
This *map
shows real-time tracking of the infected systems
<https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all>*, where the
bulk of infections hit Russian sites, although Telefonia in Spain was also

*The hardest-hit were numerous hospitals and clinics run by the British
National Health Service*. Apparently, they had an opportunity to update
their systems two years ago but didn’t due to budgets. So far, the *best
analysis is on The Register*.

*WannaCry attack summary and timeline*

American sites weren’t infected due to an interesting series of events. A
young British security researcher who goes by the Twitter handle
MalwareTechBlog d*iscovered by accident a kill switch* that stopped its
operation. *His account of that fortunate happenstance can be foundhere
Basically, by reverse engineering its code, he found that the malware
checks for the existence of a specific domain name (which didn’t exist at
the time and which he quickly registered). Once that domain had an
operating “sinkhole” website, the malware attacks ended, at least until new
variations are created without the kill switch or that check for a
different site location. Sadly, the *researcher was outed by the British
No good deed goes unpunished.

*The story on payouts*

One curious story about WannaCry is the* small ransom payouts to date*.
About 100 people have been recorded paying any ransom, according to the
three Bitcoin accounts that were used by criminals. (Yes, Virginia, Bitcoin
may be anonymous but you can still track the deposits.) Other Bitcoim
addresses could be used, of course, but it is curious that for something so
virulent, so little has been paid to date.

*Microsoft reaction and mitigation*

*The malware leverages an exploit that had been previously patched in
mid-March by Microsoft *and assigned the *designation MS17-010
The company and took the unusual step to provide patches for all currently
supported Windows along with Windows XP, Windows 8 and Windows Server 2003

*Microsoft also recommends disabling SMBv1 and firewalling SMB ports 139
and 445* from the outside Internet. If you haven’t been doing these things,
you have a lot of other problems besides WannaCry.

Microsoft’s *president posted an op/ed blog piece
“this attack demonstrates the degree to which cybersecurity has become a
shared responsibility between tech companies and customers. *The fact that
so many computers remained vulnerable two months after the release of a
patch illustrates this aspect.* Users are fighting the problems of the
present with tools from the past.” Speaking of the past, they didn’t
mention how many people are still running ancient versions of Windows such
as XP, but at least should be commended for having patches for these older

Numerous security vendors have posted updates to their endpoint and network
protection tools that will catch WannaCry, or at least the last known
variant of it. And that is the issue: the hackers are good at morphing
malware into something new that can pass by the defensive blocks. One
interesting tool is this *Python script that will detect and remove
<https://github.com/countercept/doublepulsar-detection-script>*. That was
the original NSA hack that can creates a backdoor to your system. In the
meantime, as I said last week, hope is not a strategy.


Comments always welcome here <http://blog.strom.com/wp/?p=5910>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20170515/52b0377c/attachment-0002.html>

More information about the WebInformant mailing list