WannaCry Ransomware Utilizing NSA Exploits

Early morning, Friday May 12th, ransomware by the name of Wcry/WanaCrypt0r/WannaCry/WanaCypt0r/Wanacryptor started spreading viciously through Europe.

Update 5/12/17 19:30 CST: ‘Accidental hero‘ (kudos @MalwareTechBlog) finds kill switch to stop spread of ransomware cyber-attack. – Even though the domain has been sinkholed stopping the spread of infections, new variants of wormable ransomware campaigns are only to be expected in the near future.

Update 5/13/17 10:30 CST: Microsoft releases emergency patches for previously unsupported systems (XP/8/2003). Download here.

[.] WannaCry????

Early morning, Friday May 12th, ransomware by the name of Wcry/WanaCrypt0r/WannaCry/WanaCypt0r/Wanacryptor started spreading viciously through Europe. According to the Chief Security Expert at Kaspersky Lab there is a “worldwide ransomware outbreak.” WannaCry ransomware is using EternalBlue exploit that was released most recently by the ShadowBrokers. EternalBlue is a remote code execution attack which takes advantage of SMB v1 protocol. The vulnerability has been patched by the release of MS17-010, March 14th. However, all versions of Windows are vulnerable. WannaCry checks for DOUBLEPULSAR, and it uses it to load its payload. Last month’s DOUBLEPULSAR scans should have been a warning sign for companies to patch their systems, and check their firewalls. With such a critical vulnerability, a wormable payload was inevitable. Within less than two hours, there were over 11 countries infected, and by the time of writing this post it has spread though over 74 countries demanding $300-$600 in Bitcoin

[.] WannaCry Bitcoin Addresses:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

[.] Confirmed Tor C&C’s (rain-1):

gx7ekbenv2riucmf[.]onion
57g7spgrzlojinas[.]onion
xxlvbrloxvriy2c5[.]onion
76jdd2ir2embyv47[.]onion
cwwnhwhlz52maqm7[.]onion

[.] Targeted File Types:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

[.] What to do to avoid getting infected?

Apply MS17-010 patch ASAP!
Ensure all critical systems are fully backed up
Check firewall ports 445/137-139 and 3389, Block inbound
Disable SMBv1
Network Segmentation
Disable MicrosoftOffice Macros

[.] Kill-Switch Domains – DO NOT Block!