Le blog des experts sécurité Wavestone

WCry – When the NSA toolset leads up to global shutdown of business

You have undoubtedly seen across the media this weekend an attack taking place on an extremely large scale last Friday lunchtime. Renault has closed some industrial sites, FedEx has shut down its servers, the UK National Health Service has made the front page and even Telefonica went down. Overall, around 100 countries fell victim to the attack!
CERT-W has been on the case since the early hours of the attack and several of us have worked on it over the weekend.

This attack aims to distribute the "Wannacry" ransomware (aka wcry, wannacrypt, etc. [1]).

Why has the ransomware gained so much exposure?

It is not so much the ransomware itself which is at stake here; it is more or less a classic ransomware.

Rather, it is the diffusion and propagation method which is the point of focus, leveraging ETERNALBLUE, the MS17-010 exploit [2] developed by the NSA and which has already been made public by The Shadow Brokers several months ago (the corresponding patch has been available for 2 months to date).

How can I protect myself?

The following steps help to limit the propagation of the attack:
  • Update Windows systems (as described earlier, the patch for MS17-010 has been available for several weeks now [2]). Several companies have realised afterwards that their WSUS infrastructure was not entirely operational, explaining why this patch was not rolled-out.
  • Update anti-viral signatures (all anti-virus vendors have reacted and published a signature to detect Wannacry)
  • Block incoming SMB flows (or flows that can propagate through various VPNs --> we have seen this occur for certain victims).
  • Ensure malware distribution URLs [3] ARE NOT blocked: indeed, security researchers have been able to quickly deploy sinkholes on these URLs and embark a killswitch, preventing infection of endpoints if, and only if, these URLs are accessible [4].
    • Because the malware does not cover the management of web proxies, a DNS entry must be added locally (internal DNS servers). This entry must point towards the IP address of an internal application (business application, intranet, etc.) in order to render the killswitch functional.
  • If the network is segmented, use segmentation cut off points to prevent a general propagation (particularly via IPS devices). Even if the malware is only able to propagate through the network layer in which it is connected for now, this creates an additional protection layer. Several victims have witnessed an impact to their workstations thanks to simple network segmentation.
  • Finally, prepare backups!

If you find files with the “.wncry” extension then your endpoint is infected and the ransomware is already being executed.
Alert the CERT-W ( and the Wavestone security team (#Security).

Do not hesitate to forward this article to your clients.

[1] In its first communication, the ANSSI also spoke of Jam, another "simple" ransomware that has been distributed in the last few days by different exploit kits (Necurs in particular).
[3] Do NOT block: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com and ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com

Aucun commentaire:

Enregistrer un commentaire