A large-scale cyber attack (WannaCry ransomware) that began on May 13th has already infected over 230,000 computers in 150 countries, demanding ransom payments in 28 languages – these numbers continue to grow and given the patch for the vulnerability being exploited is only two months old, we are likely to see these numbers increase.
The perpetrators of the attack are not yet known, however, the origins are. The infection vector was made “wormable” or self-spreading, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers. Wormable vulnerabilities are the bane of a security administrator’s existence since they don’t require user interaction to infect a machine. Years ago as I was just deploying a couple hundred Intrusion Prevention devices, Conficker began spreading around the world and at the time was the largest and fastest spreading malware the security community had observed. IPSs won’t be saving the day this time. I’ll address what can help save the day shortly; first, let’s dig to what is known about the ##WannaCry.
The RSA public key used to encrypt the infection-specific RSA private key is embedded inside the DLL and owned by the ransomware authors.
https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!
As observed by security researchers at Talos, there are several signs that a machine has been infected, on top of the message (above) that is displayed onscreen.
Source: Talos – http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc,
Patch your windows machines. There is little excuse for not having a robust patch process in place, but in the real world of infosec we know there is no shortage of challenges that keep us from that ideal state of being 100% patched at all times.
Lock down access on endpoints. As we have discussed before, controlling local administrator access greatly reduces the threat surface, providing less chance of falling victim to Ransomware and insider threats.
Identify and protect sensitive data proactively. Wannacry throws a pretty wide net looking for sensitive information that it can encrypt. Get ahead of Ransomware threats by identifying your sensitive data and taking measures to protect it by having a data classification policy in place.
Restrict access to networked resources by switching to resource-based groups provisioning. Resource-based group implementation of least privileged access across unstructured data further reduces the exposure of sensitive data to both human and automated threats.
Start a Free Stealthbits Trial!
No risk. No obligation.