X CLOSE

Enter your email below to sign up for latest updates from Appcheck NG.

CLOSE

Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

WanaCrypt0r – Ransom Attack


WanaCrypt0r – Ransom Attack

With the global spread of this particular malware on Friday and the media coverage it has received, it is understandable that many customers are wanting to know more about this threat and what they can do to protect against it.

WannCrypt0r was an interesting step up in previous ransom ware for a couple of reasons, firstly it spread via a worm as opposed to individual infections, secondly it was built off an NSA exploit after only a couple of months after disclosure.

The spread of the worm has currently been halted by the registration of the domain www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which is now widely thought to be a form of poor mans sandbox evasion as opposed to a kill switch.

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

While widely thought to have first spread through a phishing campaign, the worm spread through a known exploit in SMB (MS17-010) which was patched by Microsoft on supported systems in mid March. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Analysis of the code for the worm shows it was attempting to spread on both internal SMB connections and also externally discovered SMB connections.

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

Finally once a machine was infected DOUBLEPULSAR backdoor was then installed, it’s important to note that applying the patch does not remove the DOUBLEPULSAR infection.

AppCheck can detect both external SMB and SMB that is vulnerable to MS17-010, and also DOUBLEPULSAR infections that are listening.