Windows Vulnerability - WannaCry Ransomware

Ransomware is a malicious software that encrypts files and locks devices, such as a computer, tablet or smartphone and then the attacker demands a ransom to unlock it.

Recently, a dangerous ransomware named Wannacry has affected devices worldwide creating the biggest ransomware attack the world has ever seen.

The trojan stores encrypted data on your device's disk such that you can no longer access your own data, thereby blocking normal access to your device. The most common ways in which WannaCry Ransomware is getting into user devices is via phishing emails which lures you to click a link in an email to visit a website that contains a malicious program.

What is WannaCry Ransomware?

WannaCry ransomware attacks Windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, and WCRY. It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware. All versions of windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010.

After a system is affected, WannaCry encrypts files and shows a pop up with a countdown and instructions to pay the USD 300 in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to USD 600 and the attacker threatens the user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

How it spreads?

WannaCry uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically spreading itself in a network by means of a vulnerability in Windows SMB. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network.

What can you do to prevent infection?

• Microsoft has released a Windows security patch MS17-010 for Windows machines. This needs to be applied immediately and urgently.
• Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments.
• Block ports 139, 445 and 3389 in firewall.
• Avoid clicking on links or opening attachments or emails from people you do not know or from companies you do not do business with.
• SMB is enabled by default on Windows. Disable SMB service on the machine by going to Windows Features > Turn Windows Feature on and off. Uncheck the SMB feature and click OK.
• Make sure your Windows OS software is up-to-date.
• Have a pop-up blocker running on your web browser.
• Regularly backup your files.
• Install a good antivirus and a good anti-ransomware product for better security.

What are we doing on our Windows shared servers?

If you are our customer at BusinessAhead.net or at WebServicesWorldwide.com and are using one of our Shared Windows Hosting plans, you do not have to worry at all. We are already in the phase of applying Windows updates on all our shared hosting Windows servers.

What you need to do in case of our Windows Dedicated Servers?

You need to patch the Windows dedicated server immediately using the steps mentioned in the link - https://goo.gl/PYIEis

In-addition to this, please block the IP addresses for specified ports, domains and file names mentioned below:

IP Addresses & Ports

 16.0.5.10:135, 16.0.5.10:49, 10.132.0.38:80, 1.127.169.36:445, 1.34.170.174:445
 74.192.131.209:445, 72.251.38.86:445, 154.52.114.185:445, 52.119.18.119:445
 203.232.172.210:445. 95.133.114.179:445, 111.21.235.164:445, 199.168.188.178:445
 102.51.52.149:445, 183.221.171.193:445, 92.131.160.60:445, 139.200.111.109:445
 158.7.250.29:445, 81.189.128.43:445, 143.71.213.16:445, 71.191.195.91:445
 34.132.112.54:445, 189.191.100.197:445, 117.85.163.204:445, 165.137.211.151:445
 3.193.1.89:445, 173.41.236.121:445, 217.62.147.116:445, 16.124.247.16:445
 187.248.193.14:445, 42.51.104.34:445, 76.222.191.53:445, 197.231.221.221:9001
 128.31.0.39:9191, 149.202.160.69:9001, 46.101.166.19:9090, 91.121.65.179:9001
 2.3.69.209:9001, 146.0.32.144:9001, 50.7.161.218:9001, 217.79.179.177:9001
 213.61.66.116:9003, 212.47.232.237:9001, 81.30.158.223:9001, 79.172.193.32:443
 38.229.72.16:443

Domains you should block

 iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
 Rphjmrpwmfv6v2e.onion
 Gx7ekbenv2riucmf.onion
 57g7spgrzlojinas.onion
 xxlvbrloxvriy2c5.onion
 76jdd2ir2embyv47.onion
 cwwnhwhlz52maqm7.onion

File Names you should block

 @Please_Read_Me@.txt
 @WanaDecryptor@.exe
 @WanaDecryptor@.exe.lnk
 Please Read Me!.txt (Older variant)
 C:\WINDOWS\tasksche.exe
 C:\WINDOWS\qeriuwjhrf
 131181494299235.bat
 176641494574290.bat
 217201494590800.bat
 [0-9]{15}.bat #regex
 !WannaDecryptor!.exe.lnk
 00000000.pky
 00000000.eky
 00000000.res
 C:\WINDOWS\system32\taskdl.exe

You can also refer to the following links to apply the necessary fix:

• https://technet.microsoft.com/library/security/MS17-010
• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• https://support.microsoft.com/en-in/help/4013389/title

For dedicated servers, once you have applied necessary changes, you need to reboot the server.

Hope the above will help you protect yourself from WannaCry Ransomware.