A massive attack with a cryptor Wana decrypt0r 2.0

At the moment, we can observe a large-scale attack with a Trojan-decryptor "Wana decrypt0r 2.0". The
attack is observed in different networks that are completely unrelated between themselves.

A ransomware spreading in the lab at the university ( from here )

Some companies advise their users to turn off their computers and wait for further instructions.

Contacting former colleagues, I was surprised by similar stories.

As for me, today I prepared several new Windows images for our cloud system, among them was Windows Server 2008 R2.

What is most interesting is that when I just installed Windows and set up a static IP address on it, it was immediately infected for several minutes.

All Windows images were obtained from MSDN, the hashes are the same, so the possibility of image infection is excluded.

And this is despite the fact that the firewall configuration for a single network interface looking outward has been configured as a “Public Network”.

Nmap does not find open ports. The nmap output shows that even in this case, some ports are open outside by default:

Host is up (0.017s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
49154/tcp openunknown

The only thing that was installed in the system is Virtio drivers that were loaded when you installed Windows from an external CD.
The ISO image was also obtained from an official source - the Fedora repository, the hash of the amount is also the same.

At the moment, it is not fully known how exactly the infection occurred and which specific Windows versions are vulnerable..

If you have similar cases, share information about them.

Several links on the topic:

• Virustotal Link
• Information on Mmalwr
• Details of WannaCry on GitHub
• Wenta Decrypt0r 2.0 cipher analysis from Pentestit

other links, see the comments to this news.

We are waiting for further news, all with Friday, and here's a nice wallpaper for your desktop:

UPD: Apparently, for attack the vulnerability of the SMBv1 protocol is used.

Patches to fix this vulnerability can be downloaded on the official website:

• Microsoft Security Bulletin MS17-010
• Patch, for older systems (Windows XP, Winows Server 2003R2)

Vulnerability can also be closed by completely disabling SMBv1 support. To do this, simply run the following command in the command line running as Administrator (works in Windows 8.1 and higher versions):

dism /online /norestart /disable-feature /featurename:SMB1Protocol

It is still recommended to install patches.

UPD2: According to numerous requests, information is added on how to check whether you are afraid or not. The following steps will help you understand if a patch is installed that covers this vulnerability in your system:

• Follow the link above and check the update code for your system, for example for Windows 7 or Windows Server 2008 R2, the code will be 4012212either4012215
• Open cmd.exe(command line)
• Write:
  

  wmic qfe list | findstr4012212

• Press enter
• If you see something like this in the answer, it means that you already have the patch installed and you can sleep in peace:
  

  http://support.microsoft.com/?kbid=4012212 P2 SecurityUpdate KB4012212 NT AUTHORITY\система 3/18/2017

• If the answer returns an empty string to you, try checking the next patch from the list.
• If no patch is found, it is recommended to immediately install the update from the link above or from the direct link from UPD9

As it turned out, this method is not 100% working and everyone can have their own nuances.
If you are still sure that the security update is installed, and you still receive a blank line in response, try checking the update through the Windows update log or reading comments on this article.

UPD3: There are interesting details on this incident on the Internet :

Yes, that is right. A set of FuzzBunch exploits appeared, which the Shadow Brokers group of hackers stole from the Equation Group, hackers from the Nat Agency. US security.
Microsoft has quietly covered the holes with an MS 17-010 update, perhaps the most important update in the last ten years.
While the exploit kit has been in the public domain for a week now https://github.com/fuzzbunch/fuzzbunch with instructional videos.
In this set there is a dangerous tool DoublePulsar.
In short, if port 445 is open and the MS 17-010 update is not installed, then DoublePulsar taps
this port, intercepts system calls and injects malicious code into memory.

UPD4: Interactive infection map:

UPD5: Video showing the visual use of the exploit:

UPD6: Found an interesting flaw in the code:

The spread of the ransomware virus WannaCrypt was suspended by registering the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
A security specialist who tweets @MalwareTechBlog found that the virus for some reason was accessing this domain and decided to register it in order to monitor the activity of the program.

As it turned out later, the virus code stated that if the access to this domain is successful, then the infection should be stopped; if not, continue. Immediately after registering a domain, tens of thousands of queries came to him.

The ransomware virus began to spread on May 12th. It blocks the computer and requires $ 300 for unlocking. Tens of thousands of infections were registered in 99 countries, including Russia, where Megafon, the Interior Ministry and the UK became victims. In other countries, telecommunications companies, banks, and consulting firms suffered. In the UK, the health care system computers have failed.
Registering the aforementioned domain did not help those who were already infected, but allowed others to install a Windows update, after which the virus does not work.

UPD7: Microsoft has released a patch for older systems (Windows XP and Windows Server 2003R2)

UPD8: Copypaste with 2ch.hk

Those who started this attack have

Shadow brokers
merged exploits Network Scanner which they themselves wrote on a C / Python
Linux server

How it works?

The scanner script runs on a Linux server. It
drives in a specific IP range or an entire country.
The script scans the range to an open 445 port.
In case of successful detection of the SMB service, it sends an exploit that causes a buffer overflow
.

UPD9: official direct links to this patch for various systems:

UPD10: Encryption versions appeared, ignoring the killswitch method described in UPD6 .

Thanks to xsash , Inflame , Pulse , nxrighthere , waisberg , forajump , Akr0n , LESHIY_ODESSA , Pentestit , alguryanow and others for the many additions to this article.