The malware sends SMB packets containing the exploit shell code and an encrypted payload.ĭuring these communications the malware utilises two hardcoded IP addresses (192.168.56.20, 172.16.99.5) to communicate. If a host is found with open NetBIOS ports, three NetBIOS session setup packets are sent. The malware randomly generates internal and external IP addresses and attempts to initiate communications. At this stage of infection infected machines will need to be quarantined and rebuilt to remove the malware.The payload is executed and the encryption and self-propagation process begins.If the malware cannot connect to the kill switch domain:
At this stage of infection, Anti-Virus software with the latest malware signatures installed should be able to detect and remove the virus before further damage can be caused.the machine will not cryptolock and the malware will not spread. We believe the malware looks for the killswitch domain to be active once per day, and if it is present then the malware ceases to deploy the malicious elements, i.e.If the malware can connect to a kill switch domain the malware stops running: The malware is not proxy aware: when the malware connects to a kill switch domain via a proxy server, and a successful connection response is identifiable as the proxy server instead of the kill switch domain the malware will execute its payload.Once a system is infected, the malware first checks whether a specific internet domain, Connectivity to these kills switch domains needs to be maintained to limit the spread of the malware: The spread of the malware is dependent on NetBIOS and SMB communication ports being left open on hosts and at perimeter firewalls. This attack methodology leverages unpatched hosts with vulnerable SMB file sharing services to propagate malware through local and remote networks (such as the internet, N3/Transition Network, HSCN & PSN) spreading similar to a worm. SMB is a legacy protocol used to share files and printers across local networks WannaCry ransomware is propagated using the SMB EternalBlue and DoublePulsar attack methodology (CC-1353) which exploits the SMB vulnerabilities patched in Microsoft Security Bulletin MS17-010. At the time of publication there is no known decryption method.
It uses strong encryption and targets specific often-used files such as documents, videos and pictures. The malware encrypts files and provides the user with a prompt which includes a ransom demand, a countdown timer and Bitcoin wallet to pay the ransom into. The ransomware is called WannaCry, Wanna Decryptor, Wanna Cryptor, WanaCrypt0r or WCry version 2.0 and spread quickly around the world after it was first detected on 12th May. This attack was not specifically targeted at the NHS and is affecting many organisations around the world from a range of sectors. The patching of all affected versions should be prioritised. These vulnerabilities are highly likely to be used by future malware variants to achieve local and remote network self-propagation.