Starting early this morning we have seen reports of a wave of infections using a ransomware called “WannaCry” that is apparently being spread by a worm component.
There have been reports of large telecommunication companies, banks and hospitals being affected. Tens of thousands of networks worldwide have been hit and the attacks do not appear targeted. Victims are asked to pay approximately $300 by Bitcoin, and it appears the attackers have found people willing to pay.
We have created a Pulse in the Open Threat Exchange to share the indicators of compromise we have been able to obtain.
The WannaCry ransomware is using the file extension .wncry, and it also deletes the Shadow Copies:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet (PID: 2292)
The following file is also created in the affected systems: @[email protected]
One of the infection vectors is apparently a module that exploits a vulnerability (MS17-010) in Windows to spread within a network. This vulnerability was released as part of the Shadow Brokers leaks. Microsoft released a patch for MS17-010 on March 14th. Administrators are advised to upgrade any systems that do not have this patch immediately.
Alienvault USM is able to detect attempts to exploit this vulnerability via the following IDS signature released on April 18th:
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
We noted a sharp increase in external scans against our customers for the exploit yesterday, and are investigating if it is related to today's attacks:
We will update this blog post as we discover more information about the ongoing situation.
Related Stories
Article Link: http://feeds.feedblitz.com/~/318318826/0/alienvault-blogs~Ongoing-WannaCry-Ransomware-Spreading-Through-SMB-Vulnerability