NC4-ALR-2017-000008 : WannaCry Ransomware - Updates
Introduction

National Cyber Coordination and Command Centre is currently monitoring closely for any signs of infection and propagation in Malaysia in relation to WannaCry ransomware and encourage the public and organisations to lodge report should anyone is infected by this malware.

This in an update from our advisory NC4-ALR-2017-000007 published on 13 May 2017.

Impact

Encrypt user file and demand ransom to decrypt your file for USD300 to USD600 worth of Bitcoin.

Brief Description

WannaCry ransomware is propagating using an SMB vulnerability and we consider that all organisation using Windows machines are vulnerable. This vulnerability, patched in Microsoft MS17-010 was released in response to SMB exploits leaked by ShadowBrokers. MS17-010 covers six separate remote code execution vulnerabilities in Windows SMB. The specific exploit believed to be associated with this activity is codenamed “EternalBlue” which affects SMBv1. 

WannaCry ransomware may be initially distributed via multiple different method which include through malicious links in spam messages. At this point in time, the initial threat and entry vector of the WannaCry is still unclear.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/ SMB), spreading like a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoins.

Here is a list of URL that is potentially used as the kill-switch and should not be blocked as it’s reachability will trigger the malware to exit.

http://www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com/
http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
http://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
http://iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

There are variants that shows that the kill-switch is no longer applicable and the ransomware is not functioning correctly. However, the malware will still propagate via the SMB scan.

Affected Product

Microsoft Windows Operating System except for Windows 10.

System Affected

All servers and desktops using Windows Operating Systems except for Windows 10.

Recommendation

Agencies are strongly advised to take the following precautionary steps:

  1. Block the following incoming IP addresses:
  •     205.186.153.200
  •     96.127.190.2
  •     184.154.48.172
  •     108.163.228.172
  •     200.58.103.166
  •     216.145.112.183
  •     162.220.58.39
  •     192.237.153.208
  •     75.126.5.21
  1. Patch your Windows Operating System with MS17-010 Microsoft Security bulletin1;
  2. Patch your computers with the latest Windows Security Updates. Users are strongly recommended to turn on the ‘Automatic Updates’ features in Windows OS to ensure that security patches and updates are applied as soon as they are released;
  3. Back up your important files and data to an external drive;
  4. Update and run your computer with antivirus that has the latest anti-malware signatures;
  5. Block SMB ports (139, 445) from all accessible hosts.  If the SMB service is required, please ensure that the required patch (MS17-010) has been applied;
  6. Update your IPS and application layer firewall rules to monitor and detect any indicators of compromise;
  7. Update SNORT SMB signatures related to detect any SMB scan in your network http://docs.emergingthreats.net/bin/view/Main/2024218 ;
  8. System administrators with high level of access should avoid using their admin accounts for email and web browsing;
  9. Do not click on any links or attachments received from unsolicited emails;
  10. Have effective patch management that deploys security updates to endpoints and other critical systems within your infrastructure in a timely manner; and
  11. Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.

Should your computer become infected with WannaCry, you are recommended to take the following steps

  1. Disconnect the infected computers from the network and remove all traces of the malware.  Please ensure that the patch (MS17-010) is applied prior to reconnecting to the network2;
  2. Do not pay the ransom; and
  3. Report any incidents related to this attack to NC4.

References

1 Microsoft Security Bulletin MS17-010 - Critical    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

2 WannaCry Ransomware FAQ    https://netbytesecurity.blogspot.my/2017/05/wannacry-ransomware-faq.html?m=1

Advisory