Ransomware Week

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Wow what an end to the week we have seen!  As you might be aware, on Friday 12th May we all saw the start of what has to be the worlds largest Ransomware attack to date.  Unlike a lot of other attacks, this has been prolific enough to capture the attention of media outlets everywhere, not just covered by the likes of TrendMicro but by more mainstream outlets such as The Guardian.

When we first heard about the growing problem early on Saturday morning - it seemed a little too coincidental that something of this magnitude was released only a short time after the latest CIA leaks.  Those of you who are aware of these recent leaks will certainly know how serious the vulnerabilities were they kept covered up.  So it is no surprise we are now seeing attacks on this scale; while many of the vulnerabilities have been addressed and closed, there remains a large number of people yet to actually apply these updates.

We are clearly not the only people to make this connection as on Sunday 14th, A top lawyer at Microsoft laid a portion of blame on the US government for their part in irresponsibly hoarding the vulnerabilities that are now being exploited -


What is actually happening?

A number of European countries were some of the first to report problems that affected their computer systems - the NHS being one of the more prominent ones in the UK.  This was very quickly revealed to be a large scale Ransomware attack; at the same time, it began to spread incredibly quickly.

This particular version / variant is called 'WannaCry' although it appears a number of related infections are taking place so the full scale is yet to be seen.  That being said, it does not appear to be targeting any organisation or sector in particular.

WannaCry is targeting older Windows based machines due to the extra vulnerabilities they contain - in this instance, it is targeting Windows XP based systems.  This only goes to show just how much Windows XP is still being used despite official support being long dead!  It follows a common theme with Ransomware - it looks for files with one of 176 file types including office documents and database stores and encrypts them.  We've not been able to independently verify the demand (although we will), it appears to seek between 0.1 and 0.3 BTC (BitCoin) - somewhere between £140 to £400; although a number of sources indicate the request is "$300 worth of BTC" (approximately 0.168 BTC).  Once you have been infected, you are required to pay within three days of the amount doubles with the usual threat of deletion if you don't pay within seven days.


Technical Bits

WannaCry exploits vulnerability CVE-2017-0144 (Microsoft Security Bulletin MS17-010 - update 4013389) - this is an SMBv1 server attack in which allows code to be executed via specifically crafted packets.  An exploit was developed for this by the Shadow Brokers called EternalBlue (I have another post coming on how to integrate this into metasploit although this will most likely have been done already before I get around to completing it).  As SMB is a network infrastructure, it allows WannaCry an easy way to spread from system to system, all it needs is an internet connection.

You may be aware that a security researcher by the name of MalwareTech had managed to briefly halt the spread of the infection.  This is because he accidentally discovered the built in kill-switch - a refference to a non-existing domain "" if which responded would prevent the spread.  As it currently stands, updated variants seems to be spreading meaning this kill switch was quickly removed.

At current, we are not yet sure of the mechanism or method in which the encryption takes place although we have seen the following BitCoin addresses in connection with WannaCry:




About TSSec

We are Digger and Odskee, a small information security research team based in the UK.  We love breaking and fixing things and enjoy getting our hands dirty in the field of infoSec.

Odskee tends to focus on the theoretical, software based aspects while Digger finds himself at home with the raw electronics.  We both have a number of years of experience within a number of similar roles and think these work best as a team.

Latest News

©2019 TSSec