WannaCrypt

by Daniel Smith

Over the last few days, Radware’s Security Research Groups have been monitoring a global incident related to a ransomware variant named WannaCrypt, also known as WannaCry, WanaCrypt0r and wcry. On the morning of Friday May 12th, a ransomware campaign began targeting computers around the world. Once a computer was infected, a worm replicated itself across the network, targeting other computers as well. Worms use a computer network to propagate to other machines and infect them with the malicious payload.

The payload in this event contained what is known as ransomware. Ransomware is a type of malware that restricts access to user data by encrypting the files on an infected computer. Once the files are encrypted the attacker demands the victim pay a ransom for the decryption key.

This campaign has spread itself across networks leveraging recently disclosed vulnerabilities in Microsoft’s SMB service. MS17–010, a Microsoft security update issued on March 14th, addressed and patched these remote code execution vulnerabilities in Microsoft’s SMB services.

CVE’s patched in Microsoft’s security bulletin, MS17–010:

  • CVE-2017–0143
  • CVE-2017–0144
  • CVE-2017–0145
  • CVE-2017–0146
  • CVE-2017–0147
  • CVE-2017–0148

These exploits were disclosed in April when The Shadow Brokers leaked the Equation Groups’ software, which included FuzzBunch. FuzzBunch is an exploitation framework similar to Metasploit. Inside of the FuzzBunch framework there are many remote exploits for Windows like EternalBlue and DoublePulsar which are being used in the current WannaCrypt campaign.

Read more: http://ow.ly/ley930bLJs9