Pub. 5 2017 Issue 2

www.uba.org 18 How is WannaCry delivered? The initial distribution of WannaCry was spread through – you guessed it – phishing emails. WannaCry was disguised in a password-protected .zip file (the password is included in the email and “feels” like added security), which runs the ransom- ware upon execution of the .zip file. Using the ETERNALBLUE zero-day exploit, the ransomware displays worm-like properties by scanning for open instances on port 445 to gain access to Server Message Block (SMB) protocol. It initiates an encryption routine toinfectnotonlyotherhostson- theLANbutalsohostsontheInternet.While ransomware and worms are not new news, the market has not seen a ransomware attack that combined those two components on this type of scale todate. Who has WannaCry affected? As of Monday, May 15th, WannaCry has affected over 200,000 “customers” (mostly businesses; not just hosts, but organizations or individuals) in over 150 countries, leaving many organiza- tions unable to perform business operations. Organizations in Russia and China were among the most-severely-affected, but as of Friday, May 12th, over 3,300 US businesses were affected as well. Notable businesses affected include FedEx, Nissan, Renault, Deutsche Bahn, Russian Railways, MegaFon, Bank of China, Brazil’s Social Security system, and many more. Perhaps most concerning is the National Health Service system, the public health services provider of England, Scotland, Wales, and Northern Ireland, as upwards of forty (40) NHS healthcare institutions were affected by WannaCry. 90% of NHS institu- tions were primarily running Windows XP on workstations and servers, leading to surgical delays, transfers of patients, and even potentially worse outcomes. The “Killswitch” On Friday evening, a security researcher at MalwareTech discovered that WannaCry was attempting to avert discovery and capture. To prevent containment and capture of its code, the ransomware payload queried a certain domain name that was known to be unregistered. WannaCry was built to operate so that if a ping to this unregistered domain returned anything BUT a DNS error (signaling traffic manipulation), it would scuttle itself to avoid analysis. The security analyst that discov- ered this call-out in the ransomware code registered the unreg- istered domain to which WannaCry was calling, thus shutting down the attack inadvertently. The “killswitch” stopped the spread of the ransomware across the Internet, but shutting down the spread of the ransomware does not stop the infection if a local user opens the .zip file locally. WannaCry Version 3 Just as soon as the WannaCry “killswitch” was discovered, a new variant appeared; this time without the killswitch. Security analysts have confirmed that the newest version of WannaCry, minus the killswitch, is propagating the Internet as you read this article. Interestingly enough, this latest version of Wanna- Cry was not created by the same malware authors, but rather appears to be a copy-cat attack. How to Defeat WannaCry 1. If you have not yet done so, be sure to install Micro- soft’sMS17-010 Security Update, which prevents WannaCry from affecting your Windows OS in the first place. Applica- ble to all currently-supported Microsoft Operating Systems, including Windows 10, Windows 8.1, Windows 7, Server 2008, Server 2012,etc.) 2. If you are running an older workstation or server past End-of-Life (Windows XP, Windows 8, and Server 2003), find the applicable Emergency Fix in the Microsoft Update Catalogue here :http://www.catalog.update.microsoft.com/ Search.aspx?q=KB4012598 3. If your organization utilizes Windows Defender, you can download updated threat definitions that allow you to detect WannaCry on a host here :https://www.microsoft. com/security/portal/threat/encyclopedia/Entry.aspx- ?Name=Ransom:Win32/W annaCrypt 4. If your files are already encrypted, a list of recovery and malware removal options can be found here:http://www. besttechtips.org/remove-wannacry-ransomware-de- crypt-wncry-files/ 5. If you attempted to restore from backupandfailed (or you do not have backups in the first place), trya program likeShad- ow Explorerto see if the ransomware did not properly delete your Shadow Volume Copies. If a user did not click Yes at the UAC prompt, then there is a chance those are still available to start the recovery. Here isHow to recover files and folders using Shadow VolumeCopies. 6. As a last resort and all backups have failed, you could de- cide to pay and get the files decrypted. It appears towork. 7. Wipe any affected device and re-image from bare-metal (start fromscratch). Detect the Presence of WannaCry and SMBv1 Servers on Your Network This section is taken directly from the KnowBe4 blogcited below but contains valuable resources. Warning: this section is technical. One of the easiest ways to monitor what is happening on your network is to set up a SPAN\Mirror port or use a network TAP. This will give you access to flows and packet payloads so you can see who is connecting to what and if there is anything suspi- cious moving around. Check out this blog postif you use Cisco Pictured: Wall Street Journal/Malware Tech – WannaCry infections as of end-of-day on Friday  WannaCry: Stop What You’re Doing and Patch Your Computers! — continued from page 17