WanaCrypt0r – Ransom Attack
With the global spread of this particular malware on Friday and the media coverage it has received, it is understandable that many customers are wanting to know more about this threat and what they can do to protect against it.
WannCrypt0r was an interesting step up in previous ransom ware for a couple of reasons, firstly it spread via a worm as opposed to individual infections, secondly it was built off an NSA exploit after only a couple of months after disclosure.
The spread of the worm has currently been halted by the registration of the domain www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which is now widely thought to be a form of poor mans sandbox evasion as opposed to a kill switch.
While widely thought to have first spread through a phishing campaign, the worm spread through a known exploit in SMB (MS17-010) which was patched by Microsoft on supported systems in mid March. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Analysis of the code for the worm shows it was attempting to spread on both internal SMB connections and also externally discovered SMB connections.
Finally once a machine was infected DOUBLEPULSAR backdoor was then installed, it’s important to note that applying the patch does not remove the DOUBLEPULSAR infection.
AppCheck can detect both external SMB and SMB that is vulnerable to MS17-010, and also DOUBLEPULSAR infections that are listening.