May 18th 2017
Know How... 312
Networking 102: WannaCry Ransomware
We play with the new ransomware exploit hitting the web called "WannaCry".
We take a look at how the ransomware WannaCry works and how, along with how not to get infected and what to do if you are.
WannaCry
Infection
* Used the NSA-developed "Eternal Blue" that was released by the shadow brokers
* Initial infection was via emailed link or attachment
* Once Infected
1. Checks a domain to see if it responds (kill-switch)
2. Exploits an SMB vulnerability to move laterally
3. Installs the "DoublePulsar" Backdoor (which stays even if ransom is paid for decrypt)
4. Demands $300-$600 in bitcoin
* We have to wait for numbers, but anecdotally it seems that XP is taking the brunt of the attack
First Impact
* > 400,000 computers infected so far
* > 200 countries (Across Europe, Asia, some of the Americas)
* Shut down manufacturing at Renault in France and Romania
* Shut down Nissan in England
* Also affected health services in Brittian and required patients to be redirected
Mitigation
* Didn't hit the US as much b/c by the time the attack had turned, filters were attuned to the Phishing attack
* A British researcher, "@MalwareTechBlog" on Twitter, noticed that the malware was trying ot connect to a domain. He registered it and it mitigated the attacks.
- We know he's a 22-year old from south-west England who works for LA-based threat-intelligence company, "Kryptos Logic"
Second Impact
* Researchers are confirming that there is a second revision of WannaCry in circulation that removed the kill-switch check
* There have been MILLIONS of office computers left attended over the weekend, many probably left on.
- There WAS a rise in infections, but not the MASSIVE infection some were worried about
Second Mitigation
* Non-tech media (and even CNET/CBS) are speaking of this attack as if it is over. VERY not the case
* The second version does NOT check for the kill-switch site
* Steps to take:
1. Backup
2. No clicking, no attachments
3. If you are in a high-risk network, disconnect, d/l the patches from a secured machine, run offline, reconnect
4. If you have the tools, look for probing SMB attacks
Notes
* MS released a patch for this in March 2017
** They ALSO released a patch for XP and Sever 2003, even though those are no longer in use.
What to watch for LLMNR
* Local-Link Multicast Name Resolution
* This is a Windows protocol that provides name resolution for hosts on the same local link
Connect with us!
- Don't forget to check out our large library of projects at https://twit.tv/shows/know-how.
- Join our Google+ Community.
- Tweet at us at @PadreSJ, @Cranky_Hippo, and @Anelf3.
Thanks to CacheFly for the bandwidth for this show.