Massive WannaCry/Wcry Ransomware Attack Hits Various Countries
Earlier this year, two separate security risks were brought to light: CVE-2017-0144, a vulnerability in the SMB Server that could allow remote code execution that was fixed in March, and WannaCry/Wcry, a relatively new ransomware family that spread via Dropbox URLs in late April. These two threats have now been combined, resulting in one of the most serious ransomware attacks to hit users across the globe. Trend Micro detects the variants used in this attack as RANSOM_WANA.A and RANSOM_WCRY.I.
The ransom note demanded a payment of $300 be made in Bitcoin; note that this ransom demand is already lower than the amount asked for in the earlier attacks. Aside from the initial attacks in the United Kingdom, other countries were also affected in large numbers.
The vulnerability used in this attack (code named EternalBlue) was among those leaked by the Shadow Brokers group that was allegedly stolen from the National Security Agency (NSA). The vulnerability was exploited to drop a file on the vulnerable system which would then be executed as a service. This would then drop the actual ransomware file onto the affected system, encrypting files with the .WNCRY extension. (A separate component file for displaying the ransom note would also be dropped.) Files with a total of 166 extensions, including those commonly used by Microsoft Office, databases, file archives, multimedia files, and various programming languages.
Figure 1. Infection diagram
Figure 2. Ransom note
Feedback from the Smart Protection Network indicates that aside from the United Kingdom, Taiwan, Chile and Japan were all significantly affected by this threat. India and the United States are also affected.
As we noted earlier, the SMBv1 vulnerability used in this attack was already patched in March by Microsoft. Even before that, in September 2016 Microsoft had strongly urged users to migrate away from SMBv1, which dates back to the early 1990s. US-CERT had issued similarly strong recommendations as well. Organizations that had followed best practices—both in patching and in proper configuration of SMB services—would not be affected by this attack.
Trend Micro Solutions
Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware. As mentioned earlier, we detect these as RANSOM_WANA.A and RANSOM_WCRY.I. Products with Predictive Machine Learning and all relevant ransomware protection features enabled are already protected against this threat.
- 1008224-Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
Deep Discovery Inspector protects customers from this threat via this DDI rule:
- DDI Rule 2383: CVE-2017-0144 – Remote Code Execution – SMB (Request)
TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:
- 27433: SMB: Microsoft Windows SMB Server MID Type Confusion Vulnerability
- 27711: SMB: Microsoft Windows SMB Server SMBv1 Buffer Overflow Vulnerability
- 27928: SMB: Microsoft Windows SMB Remote Code Execution Vulnerability (EternalBlue)
Further information about Trend Micro solutions can be found here.