WannaCry in a nutshell

Robin François
Critical vulnerability IT Security Sécurité IT Vulnérabilité critique WannaCry
Cybersecurity Blog

What is it all about?

The global threat that the world media refer to since Friday, May 12, 2017, is a ransomware called WannaCry and its miscellaneous variations. Ransomware are a type of malware that encrypt data and demand money from their victims in exchange for the decryption key. This is unfortunately a well-known scenario...

WannaCry's delivery method is nothing new either, as it uses phishing, drive-by download, etc.

So what makes WannaCry so new and dangerous?

WannaCry and its variations are particularly dangerous because they spread like worms. They exploit a Windows vulnerability called MS17-010, which was disclosed in the publication of the offensive toolbox allegedly used by the US secret services. This vulnerability can be exploited through a corporate internal network, which means that a single contaminated computer can infect all other company devices that happen to be vulnerable to MS17-010.

Technically speaking, what is MS17-010?

This vulnerability is located in the network file sharing protocol (also called SMB) and makes it possible to execute arbitrary code on any unpatched device if ports TCP/139 or TCP/445 are exposed. However, only version 1 of the SMB protocol is vulnerable.

How can organisations protect themselves?

  1. WannaCry and its variations are nothing new with respect to their initial contamination method. As a result, all usual security recommendations for securing corporate workstations remain valid : antivirus, web traffic filtering via proxy servers, user caution... Regular backups will also make it possible to restore any data that might nevertheless have been encrypted.

  2. WannaCry is however special in that it uses the MS17-010 vulnerability to infect other devices on the internal network. Applying the patch from Microsoft will make it possible to avoid an internal propagation. Microsoft has even provided special Windows XP and Windows 2003 patches for this vulnerability. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

  3. The malware also relies on the SMB service's network exposure to spread. As a result, urgently deploying on all potentially exposed workstations a local firewall security policy that blocks ports TCP/139 and TCP/445 can also help stem WannaCry's internal propagation.

  4. Moreover, as the malware relies on version 1 of the SMB protocol to spread, deactivating SMB can also reduce its impact.

How can you check if a workstation is patched?

It is not always easy to make sure that a device is patched.

The following PowerShell script will help:

$hotfixes = "KB4012212", "KB4012217", "KB4015551", "KB4019216", "KB4012216", "KB4015550", "KB4019215", "KB4013429", "KB4019472", "KB4015217", "KB4015438", "KB4016635", "KB4016871"
$computer = $ENV:COMPUTERNAME
    $hotfix = Get-HotFix -ComputerName $computer | 
    Where-Object {$hotfixes -contains $_.HotfixID} | 
    Select-Object -property "HotFixID"
if($hotfix) {
    Write-Output "$computer has hotfix $hotfix installed"} else {
    Write-Output "$computer is missing hotfix"}

If the device is already running version 1703 (which can be checked using the command winver), the MS-17-010 patch should already be applied.

How can you know if SMBv1 is activated on a workstation?

In PowerShell :

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

How can you disable SMBv1?

Here are Microsoft's instructions:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

In PowerShell:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

What is the status of the most commonly used operating systems?

Microsoft published specific patches for Windows XP, Windows 2003, Windows 8.0. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

The media said that the threat had been stemmed by a young IT security researcher. What happened?

A young British IT security researcher found a mistake in the code of WannaCry's first version: when executed, the ransomware calls a Command&Control (C&C) server. In case the C&C server does not answer, or does not provide specific information, the contamination spreads further. WannaCry's code was calling a C&C server that was hosted on a still unregistered domain. The researcher registered the domain. He started as a result to receive connection attempts from all active versions of WannaCry worldwide and could instruct them to stop spreading. However, newer versions of WannaCry, in which this mistake has been corrected, are already in circulation. The threat remains.