WannaCry: frequently asked questions

Unless you haven't accessed the internet for a week, you must have heard about WannaCry or one of the aliases it uses, such as WannaCryptor, WanaCry or WanaDecrypt0r.

In this blog post, I'll try to answer, in clear & concise language, some of the most asked questions. While there have been several excellent (technical) blog posts about WannaCry, this one will be purely non-technical and focuses on practical steps.


What is WannaCry?

The most obvious question, but not necessarily an obvious answer. In essence, it is ransomware, software that holds your machine and your files ransom, until a fee is paid.

In its latest version, it also introduced a wormable component; in other words, it could spread to other machines running Windows in your network.

A worm is a type of malware that can replicate itself and thus spread to other machines in a network.

The name 'WannaCry' stems from the ransomware authors themselves, as that is how they named it.


How does WannaCry work?

An excellent infographic explaining how WannaCry works already exists - see below:

Figure 1 - How does the WannaCry ransomware work? (Source)

Which operating systems does WannaCry infect?

Windows only. More specifically: Windows XP up to Windows 10, Windows Server 2003 up to Windows server 2016. This is the ransomware in its pure form only, however. (see questions below)


Which operating systems were affected the most?

Most of the operating systems or machines were running Windows 7.

Figure 2 - affected Windows versions by % (Source)

Can I spread WannaCry unwillingly to others, or in my network?

It is definitely possible, but only if the worm component is active and you have not updated Windows in a while. More specifically, you will need to install MS17-010 to 'close the hole' or patch the vulnerability.


When did the outbreak of WannaCry start? 

The outbreak reportedly started last week Friday, 12/05/2017, in the morning hours (UTC). However; it is possible the outbreak started the evening before that. A sudden spike in internet traffic seems to suggest the worm started spreading that night:

Figure 3 - possible related spike in traffic (Source)

Can something like this happen again?

Defnitely. In fact, some malware families also exploit(ed) the same vulnerability in Windows as mentioned above.

What is or was the WannaCry 'kill switch'?:

The Wikipedia definition of a kill switch is as follows:

A kill switch is a security measure used to shut off a device in an emergency. (Source) 

This is no different in WannaCry: a specific domain was embedded in the ransomware to act as a kill switch: if said domain exists & communicates this to the ransomware; exit immediately.

Thanks to MalwareTech, who registered the domain, a lot of the WannaCry infections were unable to spread further, since the domain now existed.

Note that some variants appeared later with other 'kill switch domains', which were also rather quickly registered by other security researchers.

Can I decrypt or recover files encrypted by WannaCry?

It is possible. A tool, WannaKiwi, has been developed by several security researchers which may be able to restore your files.

Please find below:

• Download the tool - https://github.com/gentilkiwi/wanakiwi/releases
• Information about the tool - https://github.com/gentilkiwi/wanakiwi
• More info and background - https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d

The tool will work granted you have not killed the ransomware process (or your antivirus didn't), and/or you didn't reboot your machine.


What if the tool doesn't work? Can I restore my files in any other way?

If the tool doesn't work, you may have rebooted your machine, the ransomware may have been removed or its process killed.

If you are still desperate to get your files back, there's always a possibility using...:

• ... Backups! If you have backups, please do try restoring from a backup first.
• ... Shadow Copies (Restore Previous Versions). If this doesn't work, you can use ShadowExplorer for example.
• ... Using data recovery software like Recuva, or for a bigger chance in restoring your files, PhotoRec.

Will I get my files back if I pay the ransomware?

There is no sure way of telling. The general advise is, as always, to NOT pay. A few reasons why not:

• The decrypter they send may not work at all, or does nothing.
• They don't send any decrypter at all.
• They cannot contact you or you cannot contact them for whichever reason.
• You are contributing to the 'ransomware eco-system', thus ensuring and increasing the amount of (new) ransomware that will emerge.

And:

• You are dealing with criminals in the end. Cybercriminals, but criminals. This means there is no way of telling if they will hold up their end of the bargain.

If you can avoid it, DO NOT PAY!

How do I remove the ransomware itself?

Any antivirus and/or antimalware by now detects all versions of WannaCry.

How can I defend myself or the other machines in my network against this attack?

Specifically against the worm component, you will need to install patch MS17-010 as mentioned above. If you are using an older version of Windows, for example Windows XP, please see below:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

The link here above is worth a read regardless if you have Windows XP, or a newer operating system version of Windows. If you are still using Windows XP, please do consider to upgrade to a newer version of Windows. Some computer stores may be able to offer you a discount.

Note that by default, Windows updates will be performed automatically.

You may want to check if automatic updates are enabled, by reading the following article:
How to configure and use Automatic Updates in Windows

Additionally, you will need an antivirus and a firewall. If you use Windows 7 or above, the Windows firewall is fairly decent. A free antivirus will, in most cases, suffice as well.

However, it may be worthwhile considering a full antivirus package, which usually includes better antivirus protection and a better firewall. (and additional features, such as anti-spam for example)


How can I protect my files from being encrypted or targeted by ransomware such as WannaCry?

The best recommendation of all times, is to create backups.

Many free backup solutions exist to create copies of your files (pictures, documents, ...). An overview of no less 34 backup solutions can be found here:
34 Free Backup Software Tools

You may also want to give the following article a read:
7 Backup Strategies for Your Data, Multimedia, and System Files

It may seem a lot of work initially, but it is definitely worth it.

A few points to consider when making backups:

• Don't leave your external drive plugged in after the backup. This to prevent your backup files will be encrypted as well. So, take your backup and disconnect your external hard drive afterwards.
• Be careful with backups in the cloud as well. If you use Dropbox for example, and it syncs to your Dropbox folder after your data has been encrypted... You will have another copy of your encrypted data.
• Test your backup, if possible. You wouldn't want to encounter an infection then to only find out your backups are corrupted somehow.
• You can also write your backups to write-once media, like for example DVDs or Blue-Ray. Easier is of course using an external hard drive, but don't forget to disconnect it after you have made the backup.

Can I report someone, somewhere, somehow about this ransomware if it affected me?

Surely. You can fill out an online form via the following portals:

• Report Cybercrime Online (European Union, United Kingdom)
• Internet Crime Complaint Center (United States)

Alternatively, you may want to use my online form to fill in, (print out,) and hand over a copy to your local police department, or Computer Emergency Response Team.

Find the form here; Cybercrime Report Template

It is very important you report the incident. The more information that is available to law enforcement, the bigger the chance they can catch and arrest the people behind WannaCry, or others.

Unfortunately, should you have paid, but your files are still encrypted, there is no sure way of telling if you'll be able to recover any monetary losses. Therefore, the advise is to NOT pay the ransom.



That's it, I hope you have been better informed! Unless of course...

I would like to read more. Where can I find more information?

I have setup a whole page on ransomware prevention, which you can flick through.


Any other questions, please do not hesitate to post in the comments, or send me a message on Twitter.

Nemucod ransomware information

This is a quick post on the recent Nemucod ransomware. Nemucod is (normally) a downloader which uses JavaScript  JScript (thanks Katja) to enter an unsuspecting user's machine and download additional malware (depends on campaign usually).

There's a blog post by Fortinet which explains Nemucod ransomware, so I'm not going to repeat much here: Nemucod Adds Ransomware Routine

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs.

This particular campaign is using the lure of a court appeal to spread:

The mail reads:

Notice to Appear,
You have to appear in the Court on the April 22.Please, prepare all the documents relating to the case and bring them to Court on the specified date.Note: If you do not come, the case will be heard in your absence.
The Court Notice is attached to this email.
Yours faithfully,Brian Snider,District Clerk.

It seems Nemucod ransomware got another update, as it now uses 7-zip to actually encrypt the files.

Another change is the slight drop in price. Whereas before it was 0.60358 bitcoins ($267.14 or €236.43), it's now 0.49731 bitcoins ($220.11 or €194.80).

New message reads:

Nemucod ransomware message

Nemucod encrypting a whole plethora of filetypes, appending the .crypted extension

Disinfection

If you have opened a .JS file (JScript file) from an unknown sender, open Task Manager immediately and stop all the following processes (at least in this version of Nemucod):

a0.exe (actually 7-zip disguised)
a1.exe
a2.exe
cmd.exe
wscript.exe


The faster you do this, the less files will be encrypted. Run a scan with your antivirus program and a scan with another antivirus program to verify the malware has been removed.

Note: It's always useful to keep a copy of the ransomware note handy, as it's easier to identify the ransomware and if it can be decrypted.


Decryption

I'm only briefly reporting on this for those in need, but currently, the known decryptors are suited for this version. However, Fabian from Emsisoft is already working hard to make a decryptor available, so please have patience!

If you have an older version of Nemucod, you can try one of either decryptors:
Emsisoft Decrypter for Nemucod 
nemucod_decrypter (you will need to install Python for this)

You can also try restoring files with Shadow Explorer. (alternate link)

For more information, please visit the following Bleeping Computer topic
.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic



Prevention

In particular for Nemucod, don't open any JScript/JavaScript files from unknown senders.

For more tips on ransomware prevention, be sure to check out this page I've set up:
Ransomware Prevention


Conclusion

Same as with all malware: don't open attachments from unknown senders!

Please find below IOCs and additional resources.



Resources

.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic
ID ransomware
JavaScript-toting spam emails: What should you know and how to avoid them?
JScript
Nemucod ransomware IOCs
Ransomware overview
Ransomware Prevention
TrojanDownloader: JS/Nemucod

Vipasana ransomware new ransom on the block

Yet another ransomware is going around (since at least the 20th of December), which I've dubbed Vipasana ransomware due to where you need to send your encrypted files to:

Message in Russian, you need to mail vipasana4@aol.com to get your files back

The name may be derived from Vipassanā or 'insight meditation'.

The message in Russian reads:

твои файлы зашифрованы, если хочешь
все вернуть, отправь 1 зашифрованный файл на эту почту:

vipasana4@aol.com

ВНИМАНИЕ!!! у вас есть 1 неделя что-бы написать мне на почту, по прошествии
этого срока расшифровка станет не возможна!!!!

Translated:

Your files are encrypted, if you want them all returned,
send 1 encrypted file to this email:

vipasana4@aol.com

ATTENTION!!! you have 1 week to send the email, after
this deadline decryption will not be possible !!!!

It seems these ransomware authors first want you to send an email before requiring any other action, rather than immediately (or in a certain timeframe) paying Bitcoins to get your files back. In this sense, their technique is novel. Instead of the usual 24/48/72h to pay up, they give you a week.

Do not be fooled: this does not make them 'good guys' in any way, they encrypted your files and as such are criminals.

Search results for vipasana4@aol.com are non-existent, with the exception of one victim hit by this ransomware:

Email addresses used in this specific ransomware campaign:
johnmen.24@aol.com
vipasana4@aol.com


Files will be encrypted and renamed following below naming convention:
email-vipasana4@aol.com.ver-CL 1.2.0.0.id-[ID]-[DATE-TIME].randomname-[RANDOM].[XYZ].CBF

Where [XYZ] is also a random 'extension', the real extension is .cbf

ver-CL 1.2.0.0 may refer to the version number of the ransomware, indicating there are older versions as well.

Targeted file extensions:

.r3d, .rwl, .rx2, .p12, .sbs, .sldasm, .wps, .sldprt, .odc, .odb, .old, .nbd, .nx1, .nrw, .orf, .ppt, .mov, .mpeg, .csv, .mdb, .cer, .arj, .ods, .mkv, .avi, .odt, .pdf, .docx, .gzip, .m2v, .cpt, .raw, .cdr, .cdx, .1cd, .3gp, .7z, .rar, .db3, .zip, .xlsx, .xls, .rtf, .doc, .jpeg, .jpg, .psd, .zip, .ert, .bak, .xml, .cf, .mdf, .fil, .spr, .accdb, .abf, .a3d, .asm, .fbx, .fbw, .fbk, .fdb, .fbf, .max, .m3d, .dbf, .ldf, .keystore, .iv2i, .gbk, .gho, .sn1, .sna, .spf, .sr2, .srf, .srw, .tis, .tbl, .x3f, .ods, .pef, .pptm, .txt, .pst, .ptx, .pz3, .mp3, .odp, .qic, .wps

I have sent over all necessary files to the good people over at Bleeping Computer, as there may be a way to recover files. If so, I will update this post.

Update - 12/02: thanks to a tweet from Catalin this appears to be another version of so called "offline" ransomware, discovered by Check Point:
“Offline” Ransomware Encrypts Your Data without C&C Communication

Unfortunately, there doesn't appear to be a way to recover your files once encrypted. Your best best in trying to recover files is using a tool like Shadow Explorer, which will check if you can restore files using 'shadow copies' or 'shadow volume copies'.

If that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva




Conclusion


Ransomware is, unfortunately, long from gone. Almost each week or month, new variants or totally new strains of ransomware are popping up. In this way, the first and foremost rule is:

Create (regular) backups!

For more prevention advise, see here. 

You may also find a list of Indicators of Compromise (IOCs; hashes, domains, ...) over at AlienVault:
Vipasana ransomware

More ransomware shenanigans

Recently, an update of the infamous CryptoWall ransomware (or cryptoware) was released - you can read more about that particular ransomwere here: CryptoWall 4.0 released with new Features such as Encrypted File Names

Additionally, another ransomware variant has made a return, read more about that one here:
“Offline” Ransomware Encrypts Your Data without C&C Communication

And let's not forget about this one either: Chimera Ransomware focuses on business computers

Did I mention yet there's ransomware for Linux as well? Have a look at Linux.Encoder.1 while you're at it.

... But wait, there's more! You've guessed it, yet another ransomware variant has returned. I wonder what's going on these days, the (cyber)criminals seem to get even more competitive.

Lawrence Abrams over at Bleeping Computer recently wrote an article about the variant we have here as well, as we have caught an updated variant of Poshcoder or Poshkoder or Power Worm:
Shoddy Programming causes new Ransomware to destroy your Data


Moving on to the infection vector and process:

Kan du kontrollera den bifogade filen och låt mig veta vad du tycker? Tack

I just got this document, could you please check it and get back to me? Thanks

Email headers indicate:
Received: from techdallas.xyz (45.63.12.192.vultr.com [45.63.12.192])

45.63.12.192 - IPvoid - Whois

IP location: United States (VirusTotal)

Attached is a file called Bilaga.doc or Document.doc. Other variations are possible, depending on the language (in this case either Swedish or English).

Let's see what's inside Bilaga.doc:

Ole10Native is in fact a VBS file

As you can see, there's an ObjectPool present, containing an Ole native file. The former contains storages for embedded OLE objects. In this case, it's containing a VBS file: 

The VBscript uses Powershell with certain flags or parameters to download a file to the %TEMP% folder and execute it:

(Note that by default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems)

• -WindowStyle hidden: don't display anything to the user (set WindowStyle as hidden)
• -ExecutionPolicy Bypass: no scrips are blocked, neither are there any warnings or prompts
• -nologo: starts the PowerShell console without displaying the copyright banner
• -noprofile: tells PowerShell to not load profile (user) scripts

You can find a tad more information on these commands here.

But what is the user seeing? Opening the Word document, there's another, clickable 'document': 

Clicking the icon, warning message from Word

Decoy message

Then nothing happens, except in the background:

PowerShell download & running the malware

Another PowerShell script (.ps1 file) is being executed, which will start encrypting files with the following extensions:

"*.pdf","*.xls","*.docx","*.xlsx","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.doc","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.php","*.aac","*.ac3","*.amf","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"

As you can see, it has covered quite a lot of extensions. Nathan Scott from Bleeping Computer provided an image with a great explanation on what the script does:

(Source)

In the version I saw, the PowerShell scripts were slightly different, in fact an 'improved version'.

After encrypting all your files, it will drop an HTML file (named DECRYPT_INSTRUCTION.html) on the root of all your folders which contains the following message:

Ransom message - you may need to pay up to $ 1000

It generates your #UUID by the following simple PowerShell command:

Get-wmiobject Win32_ComputerSystemProduct UUID

When visiting said Onion (Tor) link:

Unlock message

Difference here from the version of October is that they also offer to decrypt 1 file, as proof they can actually decrypt all your files again. Unfortunately, the encryption fails horribly (for example, no extension is appended) and your files will be unrecoverable. For more information, see here.

Prevention

• Don't open attachments from unknown senders - ever.
• Install an antivirus and keep it up-to-date and running. Enable the option to scan Compressed Files. 
• Consider disabling Windows Script Host. You can use my tool, Rem-VBSworm with option D for example.
• Alternatively, you can install Analog X's Script Defender, which will block these scripts (JS, VBS, ...) as well.
• Consider disabling PowerShell if you don't need or use it. There are two possible options:
  
  
  
  Note that if you have a company laptop, you should inform with your network administrator first.
• Improve security for your Microsoft Office package. (Word, Excel, ...)
  This means disabling ActiveX, disabling macros and blocking external content. Useful links:
  Enable or disable ActiveX controls in Office documents
  Enable or disable macros in Office documents
  Block or unblock external content in Office documents
• As with all ransomware cases: take backups!

Some time ago, I did a Q&A on ransomware, which also included several general tips on how to prevent (ransomware and other) malware. You can find and read those tips here.




Disinfection

• Identify and kill malicious processes (use Task Manager for example). In this specific case:
  winword.exe, wscript.exe, powershell.exe
• Run a full scan with your installed antivirus product.
• Run a full scan with another antivirus and/or antimalware product.
• In a company: unplug your network cable & warn your network administrator immediately!

Conclusion

Ransomware is far from dead (that is, encrypting ransomware or cryptoware, the "old" ransomware isn't very much around anymore), thus it's important to take preventive measures as outlined above.

You may find IOCs (Indicators Of Compromise) as usual on AlienVault's OTX.

Resources

Bleeping Computer - Shoddy Programming causes new Ransomware to destroy your Data

Microsoft - More Powerful Ways to Launch Windows PowerShell

Microsoft - Object Linking and Embedding (OLE)

Microsoft - ObjectPool Storage

Sophos - Russian ransomware takes advantage of Windows PowerShell

SS64 - An A-Z Index of Windows PowerShell commands 

Trend Micro - Ransomware Now Uses Windows PowerShell 

Acknowledgments

Thanks to my colleague Ville from Panda Security Sweden for alerting me about this incident and Lawrence & Nathan over at Bleeping Computer for their already available information.