You may have already heard but Wannacry (more formally known as WannCrypt) Ransomware literally took the world by storm on Friday, May 12.  Over 75 countries and hundreds of thousands of systems fell victim to ransomware initially demanding $300 for release of the system.  The longer you took to pay the ransom increased until the deadline passed and files were deleted. Complete industries such as the National Health Service (NHS) in the UK and most of the entire Educational infrastructure of China have been completely paralyzed by this malware attack.   The attack is so pervasive, Microsoft has released a patch to combat this for Windows XP, an operating system still in use by many organizations but no longer supported.

(Pictures courtesy from the Internet)

Although some steps have been taken to slow the activation rate of the ransomware, new strains are emerging to defeat those steps, so things may still get worse.  There has been much published on how the ransomware works based on vulnerability information contained in the NSA hacked data released by the Shadow Brokers group.  What you really need know are

  • If your Windows systems have been regularly patched as they should since March of this year, you are likely immune.
  • If your systems have not been patched, you need to disconnect them from the internet as quickly as possible to prevent them from being activated.
  • Below is a list of command & control servers that activate the Wannacry ransomware once an infected system connects to it.  Use the list to create blocking policies in your firewalls and IPSs to prevent that from happening.
  • There is a potential fix to unlock systems.  Although it has been tested on several systems infected with known versions of Wannacry, it is not guaranteed to work on all systems or new strains of the malware.

To unlock a system infected by Wannacry

  1. DO NOT TRY ANYTHING PRIOR TO THIS TO DEFEAT THE RANSOMWARE.
  2. Immediately disconnect your systems from the internet. Unplug the network cable or disconnect wifi.
  3. Open the Windows Firewall in Control Panel and ensure that there are no active connections.
  4. Make sure that the time synchronization, if enabled, fails.
  5. Set the system clock to one year in the future.

To prevent Wannacry from activating if infected, create blocking policies on your perimeter firewalls and IPS devices to block access to the following list of command & control servers:

    • 188.166.23.127:443
    • 193.23.244.244:443
    • 2.3.69.209:9001
    • 146.0.32.144:9001
    • 50.7.161.218:9001
    • 217.79.179.77
    • 128.31.0.39
    • 213.61.66.116
    • 212.47.232.237
    • 81.30.158.223
    • 79.172.193.32
    • 89.45.235.21
    • 38.229.72.16
    • 188.138.33.220

Please understand that newer strains of the Wannacry malware may update their server lists with new addresses.  NSFOCUS will update the security blog with new addresses as they become available.

More detailed information is available at here , here , and here.

Leave a Reply

Your email address will not be published. Required fields are marked *