WannaCry — The largest ransom-ware infection in History

More than 70 countries are reported to be infected.

Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)

UPDATE: Latest development (15May): Links to Lazarus Group

UPDATE2: — Decrypting files

IMPORTANT NOTE: Microsoft released an emergency patch (KB4012598)for unsupported version of Windows (Windows XP, 2003, Vista, 2008). APPLY NOW!

NOTE2: On Sunday 14 May, We just stopped the second wave of attack by registering a second killswitch but this is temporary. Read more.

On Friday 12th May 2017, a ransom-ware called WannaCry infecting and spreading machines in 70+ countries — using nation state grade offensive capabilities released last month by the ShadowBrowkers — including telco companies like Telefonica in Spain, or healthcare authority like the NHS in England — and the number of infected machines keeps growing.

This ransom-ware supports 28 different languages, encrypts 179 different type of files and requires victims to wire money ($300-$600) over bitcoins in order to get the control back of their machines.

Main dropper/encrypter: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Infection

It is believed the ransom-ware used an SMB vulnerability patched by Microsoft (MS17–010) in March. A public exploit for this vulnerability had been released in April by a group subbed as ShadowBrokers (which emerged for the first time in August 2016) while leaking files containing offensive tools belonging to the NSA including a remote SMB exploit called ETERNALBLUE which affects the above vulnerability.

This vulnerability is believed to have been used by the NSA to take over their targets including the backbone of financial institutions in the Middle East.

Last month, I covered the latest Shadow Brokers leak — which I strongly recommend to read to learn more about what ETERNALBLUE and DOUBLEPULSAR are.

Thanks to Darien Huss for highlighting the binary that infects the system, Zammis Clark wrote a good write-up on the infection part and the domain name www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com that was register as part of a kill switch for the malware.

Below is the most interesting discovery form Darien Huss, which enabled @MalwareTechBlog to register the domain name to prevent further infection — for now. Although, it is important to note that: