Know How...

May 18th 2017

Know How... 312

Networking 102: WannaCry Ransomware

We play with the new ransomware exploit hitting the web called "WannaCry".
Although the show is no longer in production, you can enjoy episodes from the TWiT Archives.
Category: Help & How To

We take a look at how the ransomware WannaCry works and how, along with how not to get infected and what to do if you are. 


* Used the NSA-developed "Eternal Blue" that was released by the shadow brokers
* Initial infection was via emailed link or attachment
* Once Infected
1. Checks a domain to see if it responds (kill-switch)
2. Exploits an SMB vulnerability to move laterally
3. Installs the "DoublePulsar" Backdoor (which stays even if ransom is paid for decrypt)
4. Demands $300-$600 in bitcoin
* We have to wait for numbers, but anecdotally it seems that XP is taking the brunt of the attack

First Impact
* > 400,000 computers infected so far
* > 200 countries (Across Europe, Asia, some of the Americas)
* Shut down manufacturing at Renault in France and Romania
* Shut down Nissan in England
* Also affected health services in Brittian and required patients to be redirected

* Didn't hit the US as much b/c by the time the attack had turned, filters were attuned to the Phishing attack
* A British researcher, "@MalwareTechBlog" on Twitter,  noticed that the malware was trying ot connect to a domain. He registered it and it mitigated the attacks.
- We know he's a 22-year old from south-west England who works for LA-based threat-intelligence company, "Kryptos Logic"

Second Impact
* Researchers are confirming that there is a second revision of WannaCry in circulation that removed the kill-switch check
* There have been MILLIONS of office computers left attended over the weekend, many probably left on.
- There WAS a rise in infections, but not the MASSIVE infection some were worried about

Second Mitigation
* Non-tech media (and even CNET/CBS) are speaking of this attack as if it is over. VERY not the case
* The second version does NOT check for the kill-switch site
* Steps to take:
1. Backup
2. No clicking, no attachments
3. If you are in a high-risk network, disconnect, d/l the patches from a secured machine, run offline, reconnect
4. If you have the tools, look for probing SMB attacks

* MS released a patch for this in March 2017
** They ALSO released a patch for XP and Sever 2003, even though those are no longer in use.

What to watch for LLMNR
* Local-Link Multicast Name Resolution
* This is a Windows protocol that provides name resolution for hosts on the same local link

Connect with us!

Thanks to CacheFly for the bandwidth for this show.