May 15, 2017 by

Homeland Security Issues Threat Alert for WannaCry Ransomware

The first global ransomware campaign that disrupted several organizations including hospitals across the world sees the Department of Homeland Security’s cybersecurity arm issue a threat alert over the weekend.

The sweeping ransomware menace known as WannaCry has impacted tens of thousands of computers in as many as 100 countries around the world, including the likes of the United States, Spain, Russia, France and Japan. Discovered on the morning of May 12, 2017 by an independent security researcher, the ransomware spread rapidly, demanding a ransom of $300 in bitcoin.

“Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability,” read an alert issued by the DHS US-CERT, the United States Computer Emergency Readiness Team.

Microsoft has previously released a security update for the exploit on March 14, 2017. The software giant has also released patches for now-unsupported operating systems including Windows XP, Windows 8 and Windows Server 2003 on May 13, 2017.

Phishing emails remain a possible infection vector, according to the official advisory.

Official Initial Analysis

Initial analysis of the ransomware conducted by US-CERT points to an AES-encrypted DLL, which during runtime sees the loader write a file to disk titled “t.wry”. From here on in, the malware uses an embedded 128-bit key to decrypt this file. When loaded into the parent process, the DLL is revealed as the ransomware that encrypts user’s files. Notably, the WannaCry DLL is never noticed by antivirus software scans nor does it appear exposed on the disk due to its cryptographic loading technique.

When loaded, the DLL begins encrypting files on the victim’s system with 128-bit AES encryption. Every file sees a random key generated.

The malware then access the resources that the victim’s machine has access to, allowing it to spread itself on a compromised network.

“This malware is designed to spread laterally on a network by gaining unauthorized access IPC$ share on network resources on the network on which it is operating,” the notice stated.

The ransomware does not discriminate, in that, it targets both home users and businesses.

Notably, the advisory recommended victims not to pay the ransom.

It stated:

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

The advisory, which can be read in full here, also details steps toward applying Microsoft’s patch.

Remediation steps include contacting law enforcement, specifically a local FBI field office, to request assistance.

Other tips for safeguarding against future ransomware attacks include up-to-date antivirus software, close scrutiny to email links and automated data backups.

Image credit: Wikimedia.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

We Have “a Full Spectrum. Of Response Options” to Cyberattacks: DHS Secretary

The United States is not backing down in the escalating threat of cyberwarfare. Speaking at the RSA...

Read more arrow_forward

US Directly Blames North Korea for WannaCry Cyberattack

The White House under President Trump’s administration has blamed North Korea behind WannaCry -...

Read more arrow_forward

The UK’s NHS Toughens Cybersecurity Defenses after WannaCry Ransomware

The United Kingdom’s National Health Service (NHS) is set to spend £20 million on a new security...

Read more arrow_forward