<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><span style="font-size: 12.1612px; background-color: transparent;">On May 12</span><sup style="background-color: transparent;">th</sup><span style="font-size: 12.1612px; background-color: transparent;">, an outburst of a new Ransomware named WannaCry (aka WannaCrypt, WCry) took place. This ransomware, spread wildly in a short amount of time, infected </span><a href="https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/" style="font-size: 12.1612px; background-color: transparent;">over 100K victims in over 99 countries</a><span style="font-size: 12.1612px; background-color: transparent;"> utilizing the MS17-010 Vulnerability. The following image from the </span><a href="https://intel.malwaretech.com/botnet/wcrypt/" style="font-size: 12.1612px; background-color: transparent;">live infection map</a>,<span style="font-size: 12.1612px; background-color: transparent;"> demonstrating how big the impact of this campaign had been over the past 24 hours.</span></p> <!--more--> <p><img src="http://info.threatstop.com/hubfs/wannacrymap.png" alt="wannacrymap.png" width="454" height="231">The MS17-010 Vulnerability was first made public during the <a href="https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/">ShadowBrokers’ leak of CIA data back in April</a> of this year and was dubbed <strong>ETERNALBLUE</strong>. It is a critical vulnerability in the SMBv1 server which can (and did in this case) be wormable. <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">Microsoft patched this vulnerability on March 14<sup>th</sup> 2017 and released a special security bulletin for it</a> a whole month <strong>prior</strong> to the ShadowBroker’s leak. Furthermore, during the events of the past weekend, and the mass ransomware infections that took place, Microsoft released another, out of band patch for a no longer supported version of windows – Windows XP and even released <a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/">a guide of how to protect yourself from the WannaCry attacks</a>.</p> <p>As of today, May 14<sup>th</sup>, the WannaCry attacks have ceased after the researcher behind the MalwareTechBlog had <a href="https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html">registered a domain that is effectively used as a kill switch for the Ransomware</a> distribution.</p> <p>Some of the bigger entities that were infected include the <a href="http://news.sky.com/story/nhs-cyberattack-full-list-of-organisations-affected-so-far-10874493">NHS</a>, <a href="https://twitter.com/SkyNews/status/863044193727389696">Telefonica Spain</a>, <a href="http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913">Nissan</a>, <a href="https://twitter.com/jeancreed1/status/863089728253505539">FedEX</a>, <a href="https://twitter.com/dabazdyrev/status/863034199460261890/photo/1">Government agencies</a> <a href="https://twitter.com/95cnsec/status/863292545278685184">all over the world</a>, <a href="https://twitter.com/farbenstau/status/863166384834064384">German Rail services</a>, <a href="https://twitter.com/95cnsec/status/863382193615159296">Chinese banks</a>&nbsp;and many more.</p> <blockquote class="twitter-tweet"> <p lang="en" dir="ltr">We will never forget <a href="https://twitter.com/hashtag/wannacry?src=hash&amp;ref_src=twsrc%5Etfw">#wannacry</a> 12.05.2017 Part 1 <a href="https://t.co/zqcEndddgM">pic.twitter.com/zqcEndddgM</a></p> — Sergey @k1k_ Golovanov📡 (@k1k_) <a href="https://twitter.com/k1k_/status/863406317519740928?ref_src=twsrc%5Etfw">May 13, 2017</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> <p>&nbsp;</p> <p>Although so many were infected, the criminals didn't make much of a win:</p> <blockquote class="twitter-tweet"> <p lang="en" dir="ltr">The three bitcoin wallets tied to <a href="https://twitter.com/hashtag/wcry?src=hash&amp;ref_src=twsrc%5Etfw">#wcry</a> ransomware have received 110 payments totaling $32,021.68 USD.</p> — actual ransom (@actual_ransom) <a href="https://twitter.com/actual_ransom/status/863725671171993600?ref_src=twsrc%5Etfw">May 14, 2017</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> <p>&nbsp;</p> <p>&nbsp;<span style="font-size: 12.1612px; background-color: transparent;">So, what can you do to protect yourself?</span></p> <ul> <li>If you haven’t yet – STOP WHATEVER YOU ARE DOING AND RESTART your windows machine to apply all patches.</li> <li>Enable The <strong>Anonymous Networks</strong> <strong>target</strong> on your <strong>ThreatSTOP</strong> <strong>IP</strong> and <strong>DNS</strong> <strong>Firewalls. </strong>This way, you will block all communication with Tor from your organization and minimize the chances for an attack, while <a href="/vpn-and-tor-traffic-to-bypass-corporate-security">stopping your employees from bypassing your corporate defences</a>.</li> <li>Use <a href="https://minerva-labs.com/post/using-vaccination-to-stop-malware-in-real-life-scenarios" target="_blank" rel="noopener">Minerva’s Vaccinator</a> – It is free and will cause the malware to bypass your machines.</li> <li>Consider disabling legacy protocols on networks, if you don’t need it, why is it there? (and specifically SMBv1)</li> </ul> <p>If you would like to read more, we recommend the following resources (this list keeps updating, so come back to check it out later):</p> <ul> <li><a href="https://circl.lu/pub/tr-41/">An Advisory from the Luxemberg CERT</a></li> <li><a href="https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168">WannaCrypt fact sheet</a></li> <li><a href="https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis">Technical Analysis by ENDGAME</a></li> <li><a href="http://blog.checkpoint.com/2017/05/14/wannacry-paid-time-off/">Do not pay the ransom</a>&nbsp;- Check Point reseach team say that the files will not be decrypted.</li> <li>SANS Institute - <a href="https://isc.sans.edu/presentations/WannaCry.ppt">presentation for management</a></li> <li>SANS Institute - <a href="https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160">Friday Webcast with technical details</a></li> <li><a href="http://blog.reposify.com/wannacrypt0r-epidemic-continues/" target="_blank" rel="noopener">Reposify&nbsp;</a>have a mapping of all the vulnerable devices on the interet - you can check if you are there!</li> </ul> <p>Stay Safe!</p></span>
