By browsing this site, you are agreeing to our cookie policy. More Information

What to do if WannCry Ransomware Hits You

Security | May 15, 2017

Cyberattacks leveraging variants of the “WannaCry” ransomware hit hundreds of thousands of computers in 150 countries since Friday. 

If you logged on this morning to a popup like this on your computer, you should take some steps immediately. 

wannacry

If you are an administrator or security team leader, “WannaCry 2.0” ransomware variant exploits a remote code execution vulnerability that exists in older Microsoft Windows operating systems, like XP. Microsoft has released an update to patch the vulnerability that you should push immediately: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. YARA Signatures IOCs are linked below.

For users:

  1. Unless your IT department tells you otherwise, do not unplug or shut down systems. Your first step should be to contact your information security team (if you do not know who that is, reach out to your IT staff).  Shutting down a system could result in the permanent loss of data.
  2. Information security and incident response teams, internal or external, can determine the extent of infection and proper remediation. In some cases, trained incident responders can use memory forensics to recover encryption keys and unlock data without paying a ransom.
  3. In regards to payment, in general law enforcement agencies like the FBI discourage ransom payments as they can create more attacks. There are also several indications that, even if you do pay, you are unlikely to regain access.  Every organization must make a decision about payment. However, if your system is already encrypted, you will very likely not be able to regain access to data that was not backed up.

For administrators and security teams, the United States Computer Emergency Readiness Team (US-CERT) has published a YARA Signatures with an accompanying .xlsx of IOCs here: https://www.us-cert.gov/ncas/alerts/TA17-132A. Yara signatures can be imported into endpoint detection and response tools like EnCase Endpoint Security, to detect any infected systems and begin remediation.

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {

       meta:

              description = "Detects WannaCry Ransomware on Disk and in Virtual Page"

              author = "US-CERT Code Analysis Team"

              reference = "not set"                                        

              date = "2017/05/12"

       hash0 = "4DA1F312A214C07143ABEEAFB695D904"

       strings:

              $s0 = {410044004D0049004E0024}

              $s1 = "WannaDecryptor"

              $s2 = "WANNACRY"

              $s3 = "Microsoft Enhanced RSA and AES Cryptographic"

              $s4 = "PKS"

              $s5 = "StartTask"

              $s6 = "wcry@123"

              $s7 = {2F6600002F72}

              $s8 = "unzip 0.15 Copyrigh"

              $s9 = "Global\\WINDOWS_TASKOSHT_MUTEX"        

              $s10 = "Global\\WINDOWS_TASKCST_MUTEX"   

             $s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}

             $s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}

             $s13 = "WNcry@2ol7"

             $s14 = "wcry@123"

             $s15 = "Global\\MsWinZonesCacheCounterMutexA"

       condition:

              $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15

}

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.*/

rule MS17_010_WanaCry_worm {

       meta:

              description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"

              author = "Felipe Molina (@felmoltor)"

              reference = "https://www.exploit-db.com/exploits/41987/"

              date = "2017/05/12"

       strings:

              $ms17010_str1="PC NETWORK PROGRAM 1.0"

              $ms17010_str2="LANMAN1.0"

              $ms17010_str3="Windows for Workgroups 3.1a"

              $ms17010_str4="__TREEID__PLACEHOLDER__"

              $ms17010_str5="__USERID__PLACEHOLDER__"

              $wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"

              $wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"

              $wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"

       condition:

              all of them

The good news, the attack appears to be slowing down.

The bad news – As noted above, if your system is encrypted, you will most likely not be able to regain access to data that was not backed up.

This attack should serve as a wake-up call for users, corporate IT/security, and executives – cybersecurity and information governance must be a top priority.  WannaCry would not be a global issue, but for a lack of critical patching. CIO/CISOs at any infected organizations need to review procedures and work out why critical patches are not being applied in a timely manner. In 2016, ransomware netted cybercriminals $1 billion. This figure will be substantially larger in 2017.

Impacted by this attack or not, there are steps organizations can take to help prevent similar attacks in the future. For more information on how forensic security solutions from guidance Software can help, visit www.guidancesoftware.com or click here to request a demo.

Anthony Di Bello is senior director of product marketing at Guidance Software and is responsible for the voice of the customer and go-to-market strategy across Guidance Software forensic security, data risk management and digital investigations products.  An 11-year veteran of Guidance, Anthony previously served as director of Strategic partnerships.



Load more comments
Thank you for the comment! Your comment must be approved first
comment-avatar

You May Also Like

Security

EnForce Risk Manager: Redefining Data Privacy & Co...

Have you ever asked yourself if your organization has control over its data?
Feb 4
Security

Finding those Easter Eggs?

We don't mean to egg you on... well, in fact, we do.
Nov 3