WannaCrypt Resource Center

Created on: Friday, May 12th 2017 1145 EDT (GMT-04:00)
Last Update: Tuesday, May 16th 2017 1512 EDT (GMT-04:00)

This page is maintained by a computer network security research professional and its solely purpose is to inform and assist preventing the Malware WannaCrypt proliferation. All the information and software developed by https://tiago.deretti.net and provided on this resource center is may be used under MIT License (Massachusetts Institute of Technology License) and is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. in no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.

What's WannaCrypt?

WannaCrypt Ransomware, also known by the names WannaCry, WanaCrypt0r or Wcrypt is a ransomware which targets Windows operating systems. Discovered on 12th May 2017, WannaCrypt was used in a large Cyber-attack and has since infected more than 230,000 Windows PCs in 150 countries. WannaCrypt initial hits include UK’s National Health Service, the Spanish telecommunications firm Telefónica, and the logistics firm FedEx. Such was the scale of the ransomware campaign that it caused chaos across hospitals in the United Kingdom. Many of them had to be shut down triggering operations closure on short notice, while the staff were forced to use pen and paper for their work with systems being locked by Ransomware.

Timeline of Related Events

August 2016 - Shadow Broker emerged. Auctions NSA Attacks. Claim to hack Equation Group, author of Stuxnet & Flame. Auction includes weaponizable codes with 0-day exploits & trojans

September 2016 - Microsoft released blog to encourage users to stop using SMB1 - https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

March 2016 - Microsoft released the Security Update for MS17-010 to fix SMB1 vulnerabiligy

April 2017 - Shadow Broker Releases throve of NSA Attacks. Includes exploits against SMB (Eternal Blue) and Trojan Code (Double Pulsar).

May 2017 - WannaCrypt complain has begun. Attacker (unknown) turns NSA attack codes with Ransomware Payload, demands $USD300-600 ransom

How does WannaCrypt ransomware get into your computer

As evident from its worldwide attacks, WannaCrypt first gains access to the computer system via an email attachment and thereafter can spread rapidly through LAN. The ransomware can encrypt your systems hard disk and attempts to exploit the SMB vulnerability to spread to random computers on the Internet via TCP port and between computers on the same network.

WannaChecker Vulnerability ID

If you are not sure if your computer is vulnerable, I programmed the "WannaChecker Vulnerability ID" tool that will assist you on identify if you need a Microsoft Patch or not and you can download the free tool here.

What WannaCrypt Does

1) Infect

Runs Attack if MS17-010 is not installed [ETERNALBLUE]

Installs Trojan if attack is Successfull [DOUBLEPULSAR]

2) Encrypt

Encrypt over 150 file types

Shows the message and demand for payment using BitCoin

3) Spread

Scans the local LAN and wider internet for port 445

Attempt to infection if port is open

Recommended Actions - To Prevent

If one of the updates listed below are installed in your system, the system is protected.
The vulnerability has been fixed in march 2017 Security update by Microsoft. March, April and May rollup also includes all previous udpates inlucidn March security update.
Microsoft has rolled many updates and some of them supersede others.
It's important to have the Windows Firewall enabled and Windows Updates turned on to automatically install.

Recommended Actions - If Affected

Contact Support, your IT Team or if you are alone, email wannacry-help@deretti.net
Clean up your machine and Recover the system - Follow this Microsoft Article.
Submit New Sample - If you feel you have detected new threat, sample, please retrieve a sample of the malware and send it to the Microsoft Malware Protection Team.

Applicable Microsoft KB Patches

Most important Microsoft KB regarding WannaCry and SMBv1 is Microsoft Security Bulletin MS17-010 and can be found here here.

I am still validating and KBs below and their relevance.

Windows Vista & 2003 - KB4012598
Windows Windows 7 - KB4012212 | KB4012215 | KB4015549 | KB4019264
Windows Windows 8.1 - KB4012216 | KB4015550 | KB4019215
Windows 10 - KB4013198 | KB4015219 | KB4012606 | KB4019474 | KB4019473 | KB4013429 | KB4019472
Windows Server 2008 - KB4012598 | KB4018466
Windows Server 2008 R2 - KB4012212 | KB4012215 | KB4015549 | KB4019264
Windows Server 2012 - KB4012214 | KB4012217 | KB4015551 | KB4019216
Windows Server 2012 R2 - KB4012213 | KB4012216 | KB4015550 | KB4019215
Windows Server 2016 - KB4013429 | KB4019472 | KB4015217 | KB4015438 | KB4016635
Other Systems - KB4014511 | KB4019112 | KB4014504

PowerShell Script

I developed the following PowerShell instructions that will assist you scan one computer or several computers in a network to check if the system is vulnerable and need a Windows Hot Fix or if its safe.

$Currentlocation = Get-Location
$ComputerList = (Get-Content -path $Currentlocation"\ComputerList.txt")
$ReportFile = $Currentlocation"\Report.htm"
$ComputerCount = 0
$MSKB = "KB4015221", "KB4013198", "KB4015219", "KB4019264", "KB4014511", "KB4019112", "KB4014504", "KB4012212", "KB4012214", "KB4012217", "KB4015551", "KB4019216", "KB4012216", "KB4015550", "KB4019215", "KB4013429", "KB4019472", "KB4015217", "KB4015438", "KB4016635", "KB4012213", "KB4012215", "KB4015549", "KB4012598", "KB4012606", "KB4019474", "KB4019473", "KB4018466"

write-output "<h1>Windows KB Install Report</h1>" | Out-File $Reportfile
write-output "This report was run on $(get-date) ET " | Out-File $Reportfile -Append

foreach ($Computer in $ComputerList) {
$ComputerCount++
if(test-connection $Computer -count 2 -ea 0 -quiet) { $GetFixes = Get-HotFix -ComputerName $Computer | Select-Object -property "HotFixID"
if ($GetFixes | Where-Object {$MSKB -contains $_.HotfixID}) {
write-output " $ComputerCount - $Computer - HotFix Found - No Action Needed" | Out-File $Reportfile -Append }
else { write-output " $ComputerCount - $Computer - Need Attention" | Out-File $Reportfile -Append }
} else { write-output " $ComputerCount - $Computer not reachable" | Out-File $Reportfile -Append }
} write-output " This report ended on $(get-date) ET " | Out-File $Reportfile -Append

Link to Windows Update (out-of-support products)

Windows Server 2003 SP2 x64

Windows Server 2003 SP2 x86 and Windows XP SP2 x64

Windows XP SP3 x86

Windows XP Embedded SP3 x86

Windows 8 x86 and Windows 8 x64

WannaChecker Vulnerability ID License Details

Copyright (c) 2017 Tiago Deretti Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.