WannaCry Ransomware FAQ

1. How the propagation of the Wannacry works?

The propagation of Wanncry is based on network exploitation on SMB vulnerability (MS17-010 [1]). The main Wannacry component, which has scanning capability, will get the local IP address from a network interface, to proceed with the scanning on the same subnet of the network inferface.

Based on the result of scanning (looking for service SMB on port 445 vulnerable to MS17-010), it will try to exploit the vulnerability by using similar exploit used by EternalBlue[2]. It also does the check on any existing of DoublePulsar[3]. Once exploited, it will drop the main payload, which is the Wannacry Ransomware. The next process is the activation of the Wannacry Ransomware, any files within the Wanncry Ransomware’s extension lists, will be encrypted. The message of ransom will be displayed as Figure 1.0

Figure 1.0: The ransom message from The Wannacry Ransomware

2. How can I patch the vulnerability?

The best way to patch the vulnerability is by enabling the automatic update features on you Windows OS.  Please refer to this guide on how to enable the automatic update [4]

If you need to do the manual way, please download the patch file from this url[5]. Double click on the downloaded file, and it will self extract the update file. Please follow the on screen guide to complete the installation

3. What version of the OS should I patch?

The most critical one (with working exploits) is from Windows XP, Windows 2003, Windows 2008, Windows 7, and Windows 2012. Please apply patch for MS17-010 regardless of your Windows OS version.

4. How can I patch the vulnerability if I’m on End Of life (EOL) OS [e.g Windows XP, 2003]

Microsoft releases a special patch for these EOL OS. Please download and install the patch from this url [6]

5. How do I patch, anyway?

Download the patch from the list of URL [4,5]. Install the patch by double clicking on the downloaded file

Please follow the best practice guideline by Microsoft from this URL [7]

6. I can’t patch the OS due to (put whatever reason here), so how can I protect myself?

Please turn off your SMB1 feature as show in Figure 2.0

To enable or disable SMBv1 on the SMB server, configure the following registry key, type regedit at your command line.

Registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry

entry: SMB1

REG_DWORD: 0 = Disabled

REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Please turn off your SMB1 feature as show by Figure 2.0

Figure 2.0: Show the feature need to be untick from “Windows Features ON or OFF” panel

Please refer to this complete guide [8] from Microsoft on how to disable the SMB1

7. Should I block our public SMB service on port 445 ?

Yes, you should since the MS17-010 is pre-authenticate vulnerability and many exploits are available. Please make sure to patch the SMB service (MS17-010) before allowing the port 445 to be opened publicly, if that is your business requirement. Only brave people will do this!, good luck.

8. Should I block our internal SMB service on port 445?

Yes, you should since the MS17-010 is pre-authenticate vulnerability and many exploits are available. Please make sure to patch the SMB service (MS17-010) before allowing the port 445 to be opened, again. This is important if you want to prevent internal infection if anyone of your Windows PC is already infected.

9. Does the Wannacry Malware spread via email attachment?

Based on the current situation and evidence collected so far, we didn’t find any of Wannacry sample spread via email attachment yet.

10. WTH/F is kill switch?.I heard this is the new jargon. Should I worry about it?

Kill switch in regard to this Wannacry incident, is a term used to describe one feature that will turn off the execution of the Wannacry main component. The kill switch for the Wannacry ransomware is the HTTP request for these two domains (as of this time of writing):

• www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
• www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

If the HTTP request is successfully established, the Wannacry main component will stop the process and exist without infecting the victim.

You do not need to be worried about the kill switch since it is already being handled by a good security researchers (malwaretech and crew)

11. Can I block the kill switch IP and Domain name?

Please do not block the domains and IP addresses for the kill switch. The Wannacry need that to NOT infecting the ransomware component.

It is better to leave it alone. If it failed to reach to the kill switch domains, your files will be encrypted.

12. Should I worry about my enterprise web/HTTP proxy?. I heard Wannacry main component is not a proxy-aware application?

Yes, the Wannacry main component is not aware about the HTTP proxy configuration. Using the web/HTTP proxy in transparent mode, will allow the Wannacry to reach the kill switch domains. If it failed to reach to the kill switch domains, your files will be encrypted.

13. If I got infected, should I pay the ransom money?

It was reported few of the victims did paid the ransom money based on the current amount collected via bitcoin tracking report. It was NOT report on any successfully on recovering the encrypted files after the payment is completed.

It is advice to wait to see how the development of this incident progressing.

14. Where should I follow any latest development of the Wannacry infection?

We advice you to follow few security researchers which actively involve in tracking the Wannacry:

• https://twitter.com/msuiche
• https://twitter.com/MalwareTechBlog
• https://www.malwaretech.com/
• https://isc.sans.org/
• https://blog.comae.io/

SANS’s also releasing the the presentation slides targeting for management people to understand about the incident. Please download it from link here [9]

URL REFERENCE

• [1] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• [2] https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
• [3] https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
• [4] https://support.microsoft.com/en-us/help/306525/how-to-configure-and-use-automatic-updates-in-windows
• [5] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• [6] http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
• [7] https://msdn.microsoft.com/en-us/library/cc750077.aspx
• [8] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
• [9] https://isc.sans.edu/presentations/WannaCry.ppt