Windows 7 – musings of a consultant

What is WannaCrypt?

A large Ransomware campaign that spread across the world.
The attack used a vulnerability that was patched in March 2017 Security Update (MS17-010, SMBv1)
How can I mitigate WannaCrypt?

Timeline

August 2016
The Shadow Brokers attempt to auction NSA tools

Claims they hacked Equation Group, author of Stuxnet and Flame
Auction lists attack-ready code with 0-day exploits and trojans.

September 2016
Microsoft encourages users to stop using SMB1

March 2017
Microsoft releases Security Update to address the MS17-010 for SMB1 vulnerability

April 2017
The Shadow Brokers release the toolbox

Includes SMB (Eternal Blue) and the Trojan Code (Double Pulsar)
Microsoft releases an advisory that no new vulnerabilities are found in Shadow Brokers release

May 2017
WannaCrypt is released by unknown attacker
Which utilizes [ETERNALBLUE] with [DOUBLE PULSAR] and a ransomware payload that demands 300-600 USD in Bitcoins from its infected hosts.

What does WannaCrypt do?

Infects

It attacks through [ETERNALBLUE] if MS17-010 is not installed.
Installs the Trojan if the attack is successful [DOUBLEPULSAR]

Encrypts

Encrypts 179 file types
Shows a message that demands for payment of 300$-600$ in bitcoins to a listed wallet.

Spreads

It scans the local LAN and wider internet for port 445
Attempts to infect over SMBv1 [ETERNALBLUE] if port is open.

Payments

We find references to three different wallets these are:

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 73 transactions, total of 17460 USD
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 98 transactions, total of 26570 USD
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 82 transactions, total of 23450 USD

Which gives the attackers wallet a total of 67480 USD (14:00 GMT 16.05.17)

Curious of how to mitigate it, or want to read how to disable the SMBv1 vulnerability or patch it? Check out my previous article on mitigation.

As always, if you have suggestions on topics you want to read more about, or feedback. Leave a comment or tweet me at UlvBjornsson

Let’s try to reduce the attack vectors, I’ll walk you through the practical remedies and reduction of attack vectors you can do; now.

Turn off SMB 1

Why? Because WannaCry utilizes the exploit, and unless you are on XP or 2003, you have no use for SMB1, and will be using SMB2/SMB3.
To disable SMBv1 on the SMB server, run the following cmdlet:

Windows 8 and Windows Server 2012

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Windows 7, Windows Server 2008 R2 and Windows Vista

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

You can also remove it with “Server Manager” or use this snippet:

Remove-WindowsFeature FS-SMB1

If you want to check whether or not SMB 1.0 is active on your server you can run:

Get-SmbServerConfiguration

As you can see it states that EnableSMB1Protocol is currently True we want to set this to False.

We can accomplish this by running the following snippet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force’ cmdlet, as shown below.

(Force is added to prevent it from pausing for confirmation, and run through.)

Let’s run this again to see if the configuration changed:

Get-SmbServerConfiguration

It is now set to false.

Patch your clients and servers.

WannaCrypt takes advantage of the MS17-010 vulnerability also known as the SMBv1 vulnerability, thankfully it has been patched with MS17-010. Depending on your patch regime, you should expedite and ensure that this patch goes through.

If your systems have been affected; DOUBLEPULSAR will have also been installed, so this will need to also be removed. A script is available (by COUNTERCEPT) that can remotely detect and remove the DOUBLEPULSAR backdoor.

musings of a consultant

Tag: Windows 7

WannaCrypt – What is it?