Massive ransomware infection spreading across the globe. It exploits the EternalBlue exploit from the Shadowbrokers dump released last month.

File Name : tasksche.exe
SHA : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Please apply this patch immediately to all endpoints. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

This malware is using Social Engineering to target companies.  The emails trick users into clicking files and attachments that use a vulnerability which was addressed by MS17-010 in March 2017 to spread, so please check that all your machines have the latest updates installed.

The IT systems of around 40 NHS organizations across the UK have been affected by a ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the attack.

Non-health focused organizations around the world are also being affected, including Spanish telecommunications firm Telefonica which reported a serious issue affecting its internal network as a result of a cyberattack earlier today. The strain is called “Wanna Decrypt0r” which asks $300 from victims to decrypt their computers.

Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. According to Avast security researcher Jakub Kroustek, Wana Decrypt0r made over 57,000 victims in just a few hours.

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.”

Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”. The ransomware appears to use NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits  which were made public earlier this year by a group calling itself the Shadow Brokers.

Looks like initial infection vector is a phishing/macro email.

According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates the WannaCry infection.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” he told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”

Given the malware is scanning the entire internet for vulnerable machines, and as many as 150,000 were deemed open to the Windows vulnerability as of earlier this month, WannaCry ransomware explosion is only expected to get worse over the weekend.

MITIGATION STRATEGIES AND RECOMMENDATIONS:  
This section is used to discuss how the threat can be prevented, contained, and removed.  This section can vary depending on the nature of the threat.

Threat Specific Mitigating Guidelines

  • SMB should be disabled if not required for business use.
  • MS17-010 use has been confirmed and that vulnerability should be patched immediately.
  • All SMB-related patches should be applied to servers as soon as practical.
  • Any Microsoft updates that haven’t been applied to servers should be applied as soon as possible.
  • A notice to all users should be sent regarding this attack and a reminder about clicking links or opening files in emails from suspicious or unknown sources should be sent.
  • Review current backup policies and procedures and be prepared to perform a restore in case of infection – it is never a good idea to pay the ransom in a ransomware attack if at all avoidable.
  • Verify as well that no users have Administrative and especially not Domain privileges have been infected and if so please reset the passwords two times.
  • The priority is that your anti-virus can detect the malware. Verify that you have up-to-date signatures.
  • Make sure that users have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Where an attachment opening offers the execution of an application, users must under no circumstances accept execution and in doubt, users should you consult and/or consult the competent computer.

Recommended Best Practices  

Below are recommended IT security best practices.  These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.

  • Disable default user accounts
  • Educate users to void following links to untrusted sites.
  • Always execute browsing software with least privileges possible
  • Turn on Data Execution Prevention (DEP) for systems that support it
  • Maintain a regular patch and update cycle for OS and installed software
  • For additional details please reference: http://technet.microsoft.com/en-us/library/dd277328.aspx

 

The media has released these stories:-

https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack  
http://elpais.com/elpais/2017/05/12/inenglish/1494588595_636306.html
http://www.ibtimes.co.uk/telefonica-hack-ransomware-attack-internal-network-forces-computer-shut-down-1621350

 

Following IP Addresses, hashes and websites must be blocked by network admins:

62.138.10.60
82.94.251.227
213.239.216.222
51.255.41.65
86.59.21.38
198.199.64.217
83.169.6.12
192.42.115.102
104.131.84.119
178.254.44.135
163.172.25.118
108.165.22.125
27.254.44.204

5hdnnd74fffrottd[.]com
babil117[.]com
balprodukt[.]ru
bellevillenorfolkterriers[.]co.uk
bellevillenorfolkterriers[.]co[.]uk
biolume[.]nl
bitsslab[.]com
bitsslab[.]com/
boaevents[.]com
byydei74fg43ff4f[.]net
byydei74fg43ff4f[.]net/af/
demelkwegtuk[.]nl
diejosch[.]de
domainway[.]de
easysupport[.]us
edluke[.]com
enboite[.]be
etadjewellery[.]com
geo-zamer[.]ru
jisrcenter[.]com
jomajaco[.]com
julian-g[.]ro
kbelgesi[.]net
kitchenandgifts[.]com
koreancars-club[.]ru
monowheels[.]ru
oklahomagunlawyers[.]com
outback-cycles[.]de
panaceya-n[.]ru
pgringette[.]ca
phinamco[.]com
prystel[.]com
taddboxers[.]com
takanashi[.]jp
takipediliyoruz[.]com
techno-kar[.]ru
tending[.]info
thegoldclubs[.]com
tiskr[.]com
trans-atm[.]com
trebleimp[.]com
trialinsider[.]com
villa31[.]com
volley-bal[.]be
vscard[.]net
wipersdirect[.]com
ws.osenilo[.]com
ws[.]osenilo[.]com

FileHash-SHA256    09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

FileHash-SHA256     24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

FileHash-SHA256    2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

FileHash-SHA256    2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

FileHash-SHA1    45356a9dd616ed7161a3b9192e2f318d0ab5ad10

FileHash-SHA256    4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

FileHash-MD5    4fef5e34143e646dbf9907c4374276f5

FileHash-MD5    509c41ec97bb81b0567b059aa2f50fe8

FileHash-SHA1    51e4307093f8ca8854359c0ac882ddca427a813c

domain    57g7spgrzlojinas.onion

FileHash-MD5    5bef35496fcbdbe841c82f4d1ab8b7c2

domain    76jdd2ir2embyv47.onion

FileHash-MD5    775a0631fb8229b2aa3d7621427085ad

FileHash-MD5    7bf2b57f2a205768755c07f238fb32cc

FileHash-MD5    7f7ccaa16fb15eb1c7399d422f8363e8

FileHash-MD5    8495400f199ac77853c53b5a3f278f3e

FileHash-MD5    84c82835a5d21bbcf75a61706d8ab549

FileHash-MD5    86721e64ffbd69aa6944b9672bcabb6d

FileHash-SHA1    87420a2791d18dad3f18be436045280a4cc16fc4

FileHash-MD5    8dd63adb68ef053e044a5a2f46e0d2cd

FileHash-MD5    b0ad5902366f860f85b892867e5b1e87

FileHash-SHA256    b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

FileHash-SHA1    bd44d0ab543bf814d93b719c24e90d8dd7111234

FilePath
C:\Windows\mssecsvc.exe
0
FilePath
C:\WINDOWS\tasksche.exe
0
domain
cwwnhwhlz52maqm7.onion

FileHash-MD5    d6114ba5f10ad67a4131ab72531f02da

FileHash-MD5    db349b97c37d22f5ea1d1841e3c89eb4

FileHash-MD5    e372d07207b4da75b3434584cd9f3450

FileHash-SHA1    e889544aff85ffaf8b0d0da705105dee7c97fe26

FileHash-SHA256    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

FileHash-MD5    f107a717f76f4f910ae9cb4dc5290594

FileHash-MD5 f529f4556a5126bba499c26d67892240

FileHash-SHA256    f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

domain    gx7ekbenv2riucmf.onion

domain    sqjolphimrr7jqw6.onion

hostname    www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

domain    xxlvbrloxvriy2c5.onion

5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211
f98a35ab5f9fa47a49db5535b654cebb5bc99bf5
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
45356a9dd616ed7161a3b9192e2f318d0ab5ad10
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
509c41ec97bb81b0567b059aa2f50fe8
51e4307093f8ca8854359c0ac882ddca427a813c
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
84c82835a5d21bbcf75a61706d8ab549
87420a2791d18dad3f18be436045280a4cc16fc4
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
bd44d0ab543bf814d93b719c24e90d8dd7111234
db349b97c37d22f5ea1d1841e3c89eb4
e889544aff85ffaf8b0d0da705105dee7c97fe26
f107a717f76f4f910ae9cb4dc5290594
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
920e964050a1a5dd60dd00083fd541a2
2c42611802d585e6eed68595876d1a15
83506e37bd8b50cacabd480f8eb3849b
f99ce7dc94308f0a149a19e022e4c316