Ransomware attack called WannaCry

Quick walk-through of Ransomware attack called WannaCry

Ransomware is a malicious software/malware that encrypts the files/folders and locks device (computers, Laptops, smartphones and then demands a ransom money to unlock it. Ransomware named ‘Wannacry’ has affectted numerous computers worldwide and had created the biggest ransomware attack the world has ever seen till date.

Note that Linux machines are not affected by WannaCry. WannaCry ransomware attack is applicable only to Windows based machines.
WannaCry is also known as WannaCrypt, WannaCry, WCrypt, WanaCrypt0r and WCRY.

This ransomware exploits Window’s network file sharing protocol called SMB(Server Message Block). Its also described as “EternalBlue” attack which injects the malware. All versions of windows before Windows 10 are vulneable to this attack if not patched for MS-17-010 (EternalBlue MS17-010).

Impact:
After a system is affected, it encrypts the files and a pop up message appears with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom amount is not paid within 3 days, the amount doubles to 600$ and it threatens the user to wipe off all the data. Meanwhile, It also installs DOUBLEPULSAR backdoor in the machine.

This is what Kerala Police Cyberdome, India recommends to prevent infection:

1. Microsoft has released a Windows security patch MS17-010 for Winodws machines. This needs to be applied immediately and urgently.Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments.
2. Block ports 139, 445 and 3389 in firewall.
3. Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
4. SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK
5. Make sure your software is up-to-date.
6. Have a pop-up blocker running on your web browser.
7. Regularly backup your files.
8. Install a good antivirus and a good anti-ransomware product for better security

Below is a consolidated list that we need to block on your firewall/antivirus

IPs

16.0.5.10:135

16.0.5.10:49

10.132.0.38:80

1.127.169.36:445

1.34.170.174:445

74.192.131.209:445

72.251.38.86:445

154.52.114.185:445

52.119.18.119:445

203.232.172.210:445

95.133.114.179:445

111.21.235.164:445

199.168.188.178:445

102.51.52.149:445

183.221.171.193:445

92.131.160.60:445

139.200.111.109:445

158.7.250.29:445

81.189.128.43:445

143.71.213.16:445

71.191.195.91:445

34.132.112.54:445

189.191.100.197:445

117.85.163.204:445

165.137.211.151:445

3.193.1.89:445

173.41.236.121:445

217.62.147.116:445

16.124.247.16:445

187.248.193.14:445

42.51.104.34:445

76.222.191.53:445

197.231.221.221:9001

128.31.0.39:9191

149.202.160.69:9001

46.101.166.19:9090

91.121.65.179:9001

2.3.69.209:9001

146.0.32.144:9001

50.7.161.218:9001

217.79.179.177:9001

213.61.66.116:9003

212.47.232.237:9001

81.30.158.223:9001

79.172.193.32:443

38.229.72.16:443

Domains:

• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

• Rphjmrpwmfv6v2e[dot]onion

• Gx7ekbenv2riucmf[dot]onion

• 57g7spgrzlojinas[dot]onion

• xxlvbrloxvriy2c5[dot]onion

• 76jdd2ir2embyv47[dot]onion

• cwwnhwhlz52maqm7[dot]onion

File Names:

• @Please_Read_Me@.txt

• @WanaDecryptor@.exe

• @WanaDecryptor@.exe.lnk

• Please Read Me!.txt (Older variant)

• C:\WINDOWS\tasksche.exe

• C:\WINDOWS\qeriuwjhrf

• 131181494299235.bat

• 176641494574290.bat

• 217201494590800.bat

• [0-9]{15}.bat #regex

• !WannaDecryptor!.exe.lnk

• 00000000.pky

• 00000000.eky

• 00000000.res

• C:\WINDOWS\system32\taskdl.exe