Echoes of cyberwar

Appearing to be a global epidemic: WannaCry has infected more than 200,000 PCs in more than 150 countries. Spreading across the networks of Universities, Renault, Nissan factories in France and Japan and impacting huge telecom and railway networks, including Telefonica in Spain and Deutsche Bahn in Germany. Hospitals in the UK were even forced to cancel operations as ransomware demanded payment to regain access to medical records. What was the motivation? Money? The WannaCry operators only managed to earn about $43,000 - nothing compared to the average targeted attack.

No it isn't, but it employed APT tools.

Technically this malware is quite simple. It attacks all the hosts available on the local network and scans internet for more vulnerable hosts.

This attack campaign and its global impact highlights the unexpected consequences of the development of cyber weaponry and the results when these advanced tools are employed by criminal groups: Wanna Cryptor uses EternalBlue, supposedly an NSA exploit released in the Shadow Brokers leak on 14th April.

Although the attack tactics are advance, there is nothing new in them. Mirai, IoT botnet behind historically large DDoS attack on cybersecurity blog site KrebsOnSecurity on September 2016, was built with the same approach to distribution and stealthy techniques.

Few other peculiarities of Wanna Cryptor are:

• Self-replication: Wanna Cryptor spreads itself onto other computers in a manner of a computer worm. It starts 2 threads: 1st scan LAN on port 445 for vulnerable hosts, 2nd tries to exploit vulnerability on a randomly generated IPs at a speed of 1000 IPs per minute.
  
  
• Targeted encryption: the malware chooses the most sensitive docs for encryption: email, encryption keys and certificates, sourcecode files, archives, office files, virtual machines, databases.
  
  
• Anti-forensics: it installs TOR to contact C&C server.

Wanna Cryptor incident is not the first time that cybercriminals actively use leaks of exploits and utilities from the arsenal of special services. With the help of another tool, NSA-backdoor DoublePulsar designed to infiltrate and launch malicious programs, the attackers managed to infect more than 47,000 Windows machines in the US, UK, and Taiwan. These hacked computers can be used to spread malicious programs, send spam, conduct cyber attacks and espionage etc.

Only if they launch it manually or if they access Internet via provider's local network. Home routers configured by default don't allow 445 port – used by the malware for self-propagation – to be seen from the outside.

Yes, but only if don't launch the malware file manually. In this case your computer will be
encrypted even if patched properly.

Microsoft has issued a special series of security updates for Win Server 2003 and Win XP. Install them ASAP. Otherwise you're at risk.

Neither Group-IB, nor anyone can confirm or deny Russian origin of the attackers without thorough investigation. We haven't found among targeted extensions files of "1C:Enterprise", the most popular accounting / inventory management software in Russia, which are typically targeted by ransomware developed by Russian threat actors. But no conclusion can be made without further investigation.

We don't have any info to state that gov bodies were aimed. The malware scans ANY host in a network irrespective of its nature.

We don't recommend to pay the ransom, since:

• You sponsor the criminals
• We have no evidence that the data of those who's paid has ever been restored.

The massive attack has been stopped. A UK researcher managed to suspend infection has registered a domain the malware pinged to start its activity. As soon as there was no domain registered the malware was launched. Now that the domain is registered the malware that is installed pings it and when gets a reply ceases any activity.

However organizations that use proxies will not benefit from the kill-switch, since Wanna Cryptor won't be able to reach that domain.

The only reliable way to be protected is to install the security updates and not to launch the malware manually.

We can only guess, but we believe it is as "circuit breaker" for the malware authors to use, if the situation goes out of control.

It won't take cybercriminals long to modify the malware and launch the attack again. So, it can be a temporary respite. Someone (supposedly not the developer of original Wanna Cryptor) has already uploaded to VirusTotal the new version of Wanna Cryptor with kill-switched removed.

The only reliable way to be protected is to install the security updates and not to launch the malware manually.

If you see that your computer is considerably slowing down and files with strange extensions appear, power down your computer immediately. Thus, you prevent files from encryption. Professionals will help you to restore your data. By the way Group-IB Threat Intelligence informed its customers about the vulnerability used by Wanna Cryptor in advance.