Massive WannaCry/Wcry Ransomware Attack Hits Various Countries

The ransom note demanded a payment of US$ 300 be made in Bitcoin; note that this ransom demand is already lower than the amount asked for in the earlier attacks. Aside from the initial attacks in the United Kingdom, other countries were also affected in large numbers.

Trend Micro detects the variants used in this attack as RANSOM_WANA.A and RANSOM_WCRY.I. Customers are already protected against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen™ security.

[RELATED: Identify the gaps in your existing endpoint protection solution using the free Trend Micro Machine Learning Assessment tool.]

Infection Vector

The vulnerability used in this attack (code named EternalBlue) was among those leaked by the Shadow Brokers group that was allegedly stolen from the National Security Agency (NSA). The vulnerability was exploited to drop a file on the vulnerable system which would then be executed as a service. This would then drop the actual ransomware file onto the affected system, encrypting files with the .WNCRY extension. (A separate component file for displaying the ransom note would also be dropped.) Files with a total of 166 extensions, including those commonly used by Microsoft Office, databases, file archives, multimedia files, and various programming languages.

Figure 1. Infection diagram

Figure 1. Infection diagram

Figure 2. Ransom note

Figure 2. Ransom note

Feedback from the Smart Protection Network indicates that aside from the United Kingdom, Taiwan, Chile and Japan were all significantly affected by this threat. India and the United States are also affected.

To spread to other systems, it uses the file that was dropped and run as a service. The service uses the name “Microsoft Security Center (2.0)“. This service scans for other SMB shares on the network, and uses the EternalBlue vulnerability to spread to other systems.

Figure 3. Added service

Figure 3. Added service

As we noted earlier, the SMBv1 vulnerability used in this attack was already patched in March by Microsoft. Even before that, in September 2016 Microsoft had strongly urged users to migrate away from SMBv1, which dates back to the early 1990s. US-CERT had issued similarly strong recommendations as well. Organizations that had followed best practices—both in patching and in proper configuration of SMB services—would not be affected by this attack.