Been watching this on Twitter this evening and have been intrigued with this so called sophistic attack, lets delve deeper.
The
attack is actually using the EternalBlue vulnerability (patched at
beginning of March) released over the Easter Weekend among many other
vulnerabilities called zero days (as Microsoft had not been made aware
of them up to this point) and looked like they had been created by
Equation Group for the NSA. Shadow Brokers managed to obtain these
vulnerabilities, possibly by hacking the NSA and then tried to sell them
to the highest bidder after originally trying to sell them off for
around $1M but paid for in bitcoins, this carried on dropping and
dropping till they eventually released the 300mb file on the Easter
Weekend.
On closer inspection the exploit ETERNALBLUE
works by remotely connecting via SMB & NBT (Windows XP to Windows
2012) and basically hits any windows machine older than Windows 10,
hense bring on the ransomware using this exploit plus some FUZZBUNCH
exploits and you have WannaCry or WCry 2.0 .
Its
been written in C++ and the code is easily viewable as no attempt has
been made to hide the code and encrypts the files and adds a .WNCRY
extension before asking for a $300-$600 bitcoin ransom.
So
does that mean Im vulnerable? providing you have applied all Microsoft
security patches including MS17-010 released in March then no you should
be safe. also stopping the SMB V1 service which this ransomware/malware
uses.
So far it looks like if you can crash Wcrypt it
will reset, however if it does infect your machine it will also add the
DOUBLEPULSAR backdoor. Also if
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits
instead of infecting the host.
This also only affect
Microsoft products so linux users you are safe, but again dont open
those attachments you were not expecting, use a good anti virus and back
up your files on a external device as well as saving very important
work to usb sticks.
So far over 70k machines have
been infected and thats not just NHS machines; FedEx, Telefonica,
Shaheen Airlines are to name a few.
Have these pesky kids
got away with it? well the bitcoins can be traced to an extent so they
will need to clean the coins by passing them through bitcoin launderers,
other people, a few anonymous throwaway bitcoin accounts before finally
transfering the money into their own account for each $300 I can see
them being left with $100 per ransom or less as this will have to go on
and on for months. Already the ransonware has been dissected and those
who know their stuff in bitcoins have already started to track the
bitcoins about.
nb: binary blob in pe crypted with password "WNcry@20l7"
