Ransomware Variant: “WannaCry / DoublePulsar”

A huge cyberattack in the form of Ransomware known as WannaCry, DoublePulsar, etc. are spreading quickly across the globe and affected at least 99 countries.

Hong Kong Computer Emergency Response Team Coordination Center (HKCERT) has received victim reported that data has been encrypted by WannaCry, and attack trace has been detected in some local institutes.

 

  1. WannaCry encrypts files on victims’ computers and adds a .WCRY file extension to them. Files on network drives are also affected.
  2. Data will be unrecoverable due to encrypted by ransomware.

This ransomware takes advantage of a Windows vulnerability MS17-010 via SMBv1. Please take immediate action to apply Microsoft Security Patch released in Mar 2017 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

To save your computer from harms, please help to:

Firewall

  1. Ensure latest signature has been applied on IPS.
  2. Check if any security threat is reported.
  3. Check if any unexpected ToR connection is found.

Windows Server

  1. Same as Windows Client
  2. Block incoming traffic to Port 445 in Windows Firewall if no SMB service is needed.

Windows Client

  1. Ensure PC has up-to-date Windows updates.
  2. Disable SMBv1 – https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
  3. [Reminder] ‘System Watcher’ function should be enabled in Kaspersky anti-virus software. ‘System Watcher’ has a feature of rolling back any unwanted changes such as file encryption.
  4. Ensure up-to-date anti-virus software.
  5. Backup your files regularly and keep them in a separate and safe place.

If you are unable to install patches to any Windows machine, you can (1) turn off SMBv1 as a workaround and (2) apply patches asap.

A. 3 methods to deploy the hotfix:

You can choose any of below 3 methods to deploy ms17-010.

  1. To use WSUS to deploy.
  2. To use GPO deploy ms17-010 using startup/shutdown script via wusa.exe command:
    If already have the .msu file downloaded, can use below command to install. Need to use network path
    wusa.exe xxxx.msu /quiet
  3. To use GPO deploy ms17-010 using startup/shutdown script via dism.exe command, if you have the .cab file. Use below command to install. Need to use network path
    DISM.exe /Online /Add-Package /PackagePath:xxx.cab
  4. Note, you can convert .msu to .cab, can use below command. Need to specify a new folder for convert result.
    Expand –F:* c:\kb976571\Windows6.1-KB976571-v2-x64.msu c:\temp\976571

B. 3 Quick Workarounds about not to use SMBv1:

Since the virus is spread via SMBv1 protocol, so a quick workaround is to disable SMBv1. Here are 3 quick workarounds about not to use SMBv1. Details: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012.

  1. To disable SMBv1 for client:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
              sc.exe config mrxsmb10 start=disabled
    Restart is needed.
  2. To disable SMBv1 for server:
              Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type
    DWORD -Value 0 -Force

    Or
              Registry subkey:
              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
              Registry entry: SMB1
              Registry type: DWORD
              Registry value: 0
    Restart is needed.
  3. To remove SMBv1 thoroughly:
    • For client operating systems:
      1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
      2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
      3. Restart the system.
    • For server operating systems:
      1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
      2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
      3. Restart the system.

ITSC has applied IP filtering to list of TOR (Threat of Release) sites.  Please report to ITSC if you (or users) can’t access to any legitimate websites.

As usual, ITSC is closely monitoring all our critical systems and infrastructure to ensure healthy and clean environment.

Although no incident report has been received by ITSC, we would like you to be vigilant.

Since Petya will start data encryption after system reboot, if user found their Windows hang suddenly and reboot (like the screen below), they should:

  1. Turn off the computer IMMEDIATELY once the Windows Logo appears. Otherwise, the encryption process will be started.
  2. Then, use the Live CD to boot the system, or unplug the hard disk and connect it to other computer for cleanup/create Kill-Switch and data backup.
  3. DO NOT respond to any kidnapper by attempting payment and instead to report the incident to ITSC and the Police.

Note : Once the encryption process is completed, the data will be unrecoverable.

Please visit here for more Information Security tips.

Initial Released on: 13 May 2017