Industry Insights

Like other Ransomware, WannaCry Encrypts Key User and Operating System Files

Posted by Susan Sison on May 18, 2017 11:02:29 AM

ransomeware.jpgBeginning on Friday, May 12, a cyberattack of unprecedented size and scope was attributed to the malware called “WannaCry,” also known as Wannacryptor, WCry2, and so on.

Like other ransomware, WannaCry encrypts key user and operating system files, then demands a “ransom” denominated in the crypto-currency Bitcoin. Although paying the ransom has, in the past, sometimes resulted in the release of files, users are strongly advised against this course of action.

At this time, none of the infections appear to have been introduced by email. However, the capacity for this does exist, and there have been unconfirmed reports of the executable being encountered as a .zip-compressed .js file – potentially using password protection.

WannaCry’s unique feature and apparent source of intra-organizational spread is its ability to leverage the LAN to spread itself to other PCs.

Take the Following Steps Immediately to Protect Against WannaCry Variants

We strongly encourage users to verify the following on their systems:

  • Ensure an .exe strip rule is enabled in your gateway to stop inbound raw executables;
  • Enable blocking of password-protected compressed files during the outbreak period;
  • Patch systems against the vulnerability described in Bulletin MS17-010.

In addition, deploy signatures for IDS – specifically, TOR rules and SID 2024218 | ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response and ET signature 2024291 - ET Trojan Possible WannaCry DNS Lookup.

This will enable identification and blocking of WannaCry network commands.

WannaCry Effect on Proofpoint Users is Minimal

More than 100 countries were impacted by the initial spread of WannaCry.

Since then:

1) Malware Propagation was Effectively Stopped

Proofpoint researcher Darien Huss, collaborating with a UK counterpart, uncovered a “kill switch” in the ransomware and used it to effectively stop WannaCry’s network propagation. By registering a domain referenced in the malware’s code, Huss terminated its network propagation sequence.

2) Scams Immediately Emerged

By Saturday, May 15, Proofpoint was blocking a high volume of malicious email campaigns advertising “pre-emptive” defense against WannaCry 2.0. These emails claimed that for a one-time payment of 10 Bitcoins -- $18,000, substantially higher than the original ransom demand – recipients would obtain “a special download that will protect you from all ransomware.”

This is a common post-event tactic. At best, respondents to such offers lose the payment. At worst, the offered downloads are malicious. Only work with a trusted security vendor when developing your data security plan, including backups of key files.

3) Additional WannaCry Variants Became Active Over the Next 36 Hours

By Sunday, May 14, two additional variants of WannaCry 2.0 emerged. They appear to be “patched” versions of the original, not unique releases. The first, WannaCry 2.0(a), was effectively halted using the same technique described by Huss.

WannaCry 2.0(b) was updated to remove the “kill switch” and, thus, is able to propagate freely through affected networks. However, its ransomware payload failed to properly deploy, thus causing no direct impact to targeted systems.

Threat Situation Remains Serious for Organizational Users

Our Partner Proofpoint has tracked new variants of ransomware emerging every 2-3 days over the last 14 months, and there is no indication that the trend is slowing. The immense global publicity that was attributed to WannaCry makes “copycat” attacks more likely in the coming days.

Customers are strongly encouraged to review the suggested system settings and patches posted above in the original advisory.

At this time, there are no reports of WannaCry 2.0 or its variants successfully leveraging Proofpoint-protected vectors for infection of Proofpoint customers.

As always, please report any confirmed “false negatives” – that is, threats that appear to have used a Proofpoint-protected vector to gain entry. NCA security engineers are always available to help customers with their security concerns.

Topics: Ransomware, WannaCry

Subscribe to Email Updates

Posts by Topic


Delivering Technology Delight

5 Ways NCA Delivers Delight:

  1. We start with Integrity.
    Simply put: We do what we say we are going to do and we do right by you.
  2. We transfer what we know to you.
    With our exposure to more than 200 networks per week, our collective experience is your advantage. We draw on our continuously expanding knowledge to accelerate the advice we offer you and enhance the resulting road map intended to improve all aspects of your business.
  3. We spot trends.
    We are always looking ahead to spot trends instead of chasing them. As the earliest adopters of several innovations, we will help you capitalize on technology trends to put you one step ahead of your competition.
  4. We know your risk.
    Our ISO 27001 Certification and high-profile client relationships have given us the experience to assess and migrate your risk, so the right people have access to the information that matter most to your business.
  5. We are the "X" factor in your business.
    Working with multiple vendors can be as demanding as keeping up with evolving technology. We tackle vendor roadblocks and relationships for you, so you can put your effort where it counts for you: running your business. Trust NCA to use our industry and vendor experience to help you make the best decision.