WannaCrypt

What's WannaCrypt?

WannaCrypt Ransomware, also known by the names WannaCry, WanaCrypt0r or Wcrypt is a ransomware which targets Windows operating systems. Discovered on 12th May 2017, WannaCrypt was used in a large Cyber-attack and has since infected more than 230,000 Windows PCs in 150 countries. WannaCrypt initial hits include UK's National Health Service, the Spanish telecommunications firm Telefónica, and the logistics firm FedEx. Such was the scale of the ransomware campaign that it caused chaos across hospitals in the United Kingdom. Many of them had to be shut down triggering operations closure on short notice, while the staff were forced to use pen and paper for their work with systems being locked by Ransomware.

• CVSS Score: 8.5 (High) for CVE-2017-0144 (EternalBlue), though the ransomware's impact amplifies its severity.
• Affected Systems: All Windows versions with SMBv1 enabled, including unsupported systems like Windows XP and Server 2003, and supported systems like Windows 7, 8.1, 10, and Server editions prior to MS17-010.
• Wormable: Yes, self-propagates via EternalBlue across networks, exploiting port 445.
• Exploitation: Pre-authentication via crafted SMB packets, enabling remote code execution.
• Discovery: Identified by the Shadow Brokers' leak in August 2016, with Microsoft addressing it by March 2017.
• Notification: Microsoft's MS17-010 advisory on March 14, 2017, with public urgency after the May 12, 2017, attack.
• Vendor Patch Timeline: MS17-010 released March 14, 2017; emergency patches for unsupported systems on May 14, 2017.

Timeline of Related Events

• August 2016 Shadow Broker Emerged. A hacking group known as Shadow Broker surfaced and started auctioning off NSA attack tools. The group claimed to have hacked the Equation Group, known for creating malware like Stuxnet and Flame. The auction included weaponizable code, zero-day exploits, and trojans.
• September 2016 Microsoft Encourages Users to Stop Using SMB1. Microsoft released a blog post urging users to disable the outdated and insecure SMB1 protocol, which is vulnerable to attacks. Microsoft Blog
• March 2017 MS17-010 Security Update Released. Microsoft issued the MS17-010 security update, which specifically addressed vulnerabilities in the SMB1 protocol that could be exploited by the ETERNALBLUE exploit.
• April 2017 Shadow Broker Releases NSA Exploits. The Shadow Broker group released a trove of NSA hacking tools, including the exploit ETERNALBLUE, which targeted the SMB1 protocol. It also included Trojan code named DOUBLEPULSAR, used to facilitate malware installation on infected systems.
• May 2017 WannaCrypt Ransomware Attack Begins. The WannaCry ransomware attack began, using the ETERNALBLUE exploit to spread rapidly. Attackers, leveraging the leaked NSA tools, demanded ransom payments of $300–$600 USD in Bitcoin to decrypt infected systems.

How does WannaCrypt ransomware get into your computer

As evident from its worldwide attacks, WannaCrypt first gains access to the computer system via an email attachment and thereafter can spread rapidly through LAN. The ransomware can encrypt your systems hard disk and attempts to exploit the SMB vulnerability to spread to random computers on the Internet via TCP port and between computers on the same network.

WannaChecker Vulnerability ID

If you are not sure if your computer is vulnerable, I programmed the "WannaChecker Vulnerability ID" tool that will assist you on identify if you need a Microsoft Patch or not.

What WannaCrypt Does

1) Infect

• Runs Attack if MS17-010 is not installed [ETERNALBLUE]
• Installs Trojan if attack is Successfull [DOUBLEPULSAR]

2) Encrypt

• Encrypt over 150 file types
• Shows the message and demand for payment using BitCoin

3) Spread

• Scans the local LAN and wider internet for port 445
• Attempt to infection if port is open

Recommended Actions — To Prevent

1. If one of the updates listed below are installed in your system, the system is protected.
2. The vulnerability has been fixed in march 2017 Security update by Microsoft. March, April and May rollup also includes all previous udpates inlucidn March security update.
3. Microsoft has rolled many updates and some of them supersede others.
4. It's important to have the Windows Firewall enabled and Windows Updates turned on to automatically install.

Recommended Actions — If Affected

1. Contact Support, your IT Team or if you are alone, email wannacry-help@deretti.net
2. Clean up your machine and Recover the system — Follow this Microsoft Article.
3. Submit New Sample — If you feel you have detected new threat, sample, please retrieve a sample of the malware and send it to the Microsoft Malware Protection Team.

Applicable Microsoft KB Patches

Most important Microsoft KB regarding WannaCry and SMBv1 is Microsoft Security Bulletin MS17-010 and can be found here. I am still validating the KBs below and their relevance.

PowerShell Script — System Identification Tool

I developed the following PowerShell instructions that will assist you scan one computer or several computers in a network to check if the system is vulnerable and need a Windows Hot Fix or if its safe.

# Define a function to check MS17-010 patch for a single computer
function Check-MS17-010 {
    param(
        [string]$computer
    )
    Write-Host "Checking if $computer has MS17-010 patch installed..."
    # List of KB numbers related to MS17-010 for various versions of Windows
    $ms17_010_patches = @(
        "KB4012212", # Windows 7 SP1, Windows Server 2008 R2 SP1
        "KB4012215", # Windows 8.1, Windows Server 2012 R2
        "KB4012216", # Windows Server 2012
        "KB4012213", # Windows 10 1507
        "KB4012214", # Windows 10 1511
        "KB4012606", # Windows 10 1607, Windows Server 2016
        "KB4013429"  # Windows 10 1703
    )
    try {
        # Retrieve installed hotfixes (KB patches) from the remote computer
        $installed_patches = Get-HotFix -ComputerName $computer
        # Check if any of the relevant patches are missing
        $missing_patches = @()
        foreach ($patch in $ms17_010_patches) {
            if (-not ($installed_patches | Where-Object { $_.HotFixID -eq $patch })) {
                $missing_patches += $patch
            }
        }
        if ($missing_patches.Count -eq 0) {
            Write-Host "$computer: MS17-010 patches are installed. System is not vulnerable."
        } else {
            Write-Host "$computer: Warning - Missing MS17-010 patches: $($missing_patches -join ', ')"
        }
    }
    catch {
        Write-Host "$computer: Unable to check patches. Error: $_"
    }
}

# Define a function to check SMBv1 status for a single computer
function Check-SMBv1 {
    param(
        [string]$computer
    )
    Write-Host "Checking if SMBv1 is enabled on $computer..."
    try {
        $smb1_key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
        $smb1_enabled = Invoke-Command -ComputerName $computer -ScriptBlock {
            Get-ItemProperty -Path $using:smb1_key -Name SMB1 -ErrorAction SilentlyContinue
        }
        if ($smb1_enabled.SMB1 -eq 1) {
            Write-Host "$computer: Warning - SMBv1 is enabled! Disable it to protect against ETERNALBLUE."
        } else {
            Write-Host "$computer: SMBv1 is disabled. The system is not vulnerable to ETERNALBLUE."
        }
    }
    catch {
        Write-Host "$computer: Unable to check SMBv1 status. Error: $_"
    }
}

# Main script logic to read the computer list and perform checks
$computerListFile = "ComputerList.txt"
if (Test-Path $computerListFile) {
    $computers = Get-Content $computerListFile
    foreach ($computer in $computers) {
        # Perform MS17-010 patch check and SMBv1 check
        Check-MS17-010 -computer $computer
        Check-SMBv1 -computer $computer
        Write-Host "--------------------------------------------------"
    }
} else {
    Write-Host "Error: $computerListFile not found."
}

Windows Update for Out-of-Support Products

Link to Windows Update (out-of-support products)

• Windows Server 2003 SP2 x64
• Windows Server 2003 SP2 x86 and Windows XP SP2 x64
• Windows XP SP3 x86
• Windows XP Embedded SP3 x86
• Windows 8 x86 and Windows 8 x64

End of Support Products

Microsoft products like Windows 7, Windows 8.1, and earlier versions of Windows Server (2008 R2 and 2012) are no longer supported, meaning they do not receive regular security updates or patches. These systems are vulnerable to exploits like WannaCry and ETERNALBLUE unless manually patched or upgraded.

Patch for WannaCry and ETERNALBLUE (MS17-010)

Even though some products are out of support, Microsoft made an exception and released the MS17-010 patch for WannaCry and ETERNALBLUE vulnerabilities on unsupported systems, including:

• Windows XP
• Windows Server 2003
• Windows 8

You can find these patches on the Microsoft Update Catalog.

Extended Security Updates (ESU)

Some versions of Windows, such as Windows 7 and Windows Server 2008 R2, are eligible for Extended Security Updates (ESU). This program allows organizations to receive critical and important security updates for a few additional years. ESU is available for:

• Windows 7 Professional and Enterprise (until January 2023)
• Windows Server 2008 and 2008 R2 (until January 2023)

For more details on ESU, visit the Microsoft Lifecycle FAQ.

Security Update Resources

If your system is unsupported and you do not have ESU, you can still manually download and install available updates for out-of-support systems from the Microsoft Update Catalog:

• Microsoft Update Catalog
• Search for the required KB patch (e.g., MS17-010).
• Manually install the update.

Upgrade Path

To maintain full security and support, Microsoft recommends upgrading to newer, supported versions of Windows:

• For Windows 7/8/8.1: Upgrade to Windows 10
• For Windows Server 2008/2012: Upgrade to Windows Server 2016

Specific Product End-of-Support Dates

• Windows 7: End of support on January 14, 2020.
• Windows Server 2008 / 2008 R2: End of support on January 14, 2020 (ESU available until January 2023).
• Windows 8 / 8.1: End of support on January 10, 2023.

For more details, refer to the Windows Lifecycle FAQ on the Microsoft Docs site.