WannaCry Ransomware, Fake 'invoice' SPAM
FYI...
Indicators Associated With WannaCry Ransomware
- https://www.us-cert.gov/ncas/alerts/TA17-132A
Last revised: May 15, 2017 - "... According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours... Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010* (link is external) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails...
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
March 14, 2017
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans...
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinize -links- contained in -e-mails- and do -not- open -attachments- included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust.
- Enable automated patches for your operating system and Web browser..."
(More detail at the us-cert URL at the top of this post.)
WannaCry/WannaCrypt Ransomware Summary
- https://isc.sans.edu/diary.html?storyid=22420
2017-05-15
___
> http://blog.talosintelligence.com/2017/05/wannacry.html#more
May 12, 2017 - "... Umbrella* prevents DNS resolution of the domains associated with malicious activity..."
* https://umbrella.cisco.com/
... aka 'OpenDNS' - FREE:
>> https://www.opendns.com/setupguide/#/?new=home-free
Test -after- setups: https://welcome.opendns.com/
___
Fake 'invoice' SPAM - delivers pdf attachment jaff ransomware
- https://myonlinesecurity.co.uk/more-fake-invoice-malspam-with-pdf-attachments-deliver-malware/
15 May 2017 - "An email pretending to be an invoice coming from random senders with a PDF attachment that drops a malicious macro enabled word doc...
Update: confirmed as Jaff ransomware (VirusTotal 5/61*) (Payload Security**)...
Screenshot: https://myonlinesecurity.co.uk/wp-c.../fake-invoice_with-pdf-atatchment-malspam.png
... An alternative docm file that was extracted confirms it to be jaff ransomware downloads
ecuamiaflowers .com/hHGFjd encrypted txt (Payload Security[3]) (VirusTotal 13/56[4]) JoeSandbox[/5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5da78d868f57c84197689287/analysis/1494846406/
** https://www.hybrid-analysis.com/sam...90d5da78d868f57c84197689287?environmentId=100
Contacted Hosts
47.91.107.213
3] https://www.hybrid-analysis.com/sam...760a22b8df9967b99b0aa050387?environmentId=100
Contacted Hosts
107.180.14.32
47.91.107.213
4] https://www.virustotal.com/en/file/...9ae319c75fe6909c60e10496/analysis/1494844454/
5] https://jbxcloud.joesecurity.org/analysis/271421/1/html
ecuamiaflowers .com: 107.180.14.32: https://www.virustotal.com/en/ip-address/107.180.14.32/information/
> https://www.virustotal.com/en/url/b...b512dfbef4e5247fd11f2cc9eee13685814/analysis/
h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-address/47.91.107.213/information/
> https://www.virustotal.com/en/url/5...006e0932e61f0be7c39857f883ed3b42c85/analysis/
:fear::fear:
FYI...
Indicators Associated With WannaCry Ransomware
- https://www.us-cert.gov/ncas/alerts/TA17-132A
Last revised: May 15, 2017 - "... According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours... Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010* (link is external) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails...
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
March 14, 2017
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans...
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinize -links- contained in -e-mails- and do -not- open -attachments- included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust.
- Enable automated patches for your operating system and Web browser..."
(More detail at the us-cert URL at the top of this post.)
WannaCry/WannaCrypt Ransomware Summary
- https://isc.sans.edu/diary.html?storyid=22420
2017-05-15
___
> http://blog.talosintelligence.com/2017/05/wannacry.html#more
May 12, 2017 - "... Umbrella* prevents DNS resolution of the domains associated with malicious activity..."
* https://umbrella.cisco.com/
... aka 'OpenDNS' - FREE:
>> https://www.opendns.com/setupguide/#/?new=home-free
Test -after- setups: https://welcome.opendns.com/
___
Fake 'invoice' SPAM - delivers pdf attachment jaff ransomware
- https://myonlinesecurity.co.uk/more-fake-invoice-malspam-with-pdf-attachments-deliver-malware/
15 May 2017 - "An email pretending to be an invoice coming from random senders with a PDF attachment that drops a malicious macro enabled word doc...
Update: confirmed as Jaff ransomware (VirusTotal 5/61*) (Payload Security**)...
Screenshot: https://myonlinesecurity.co.uk/wp-c.../fake-invoice_with-pdf-atatchment-malspam.png
... An alternative docm file that was extracted confirms it to be jaff ransomware downloads
ecuamiaflowers .com/hHGFjd encrypted txt (Payload Security[3]) (VirusTotal 13/56[4]) JoeSandbox[/5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5da78d868f57c84197689287/analysis/1494846406/
** https://www.hybrid-analysis.com/sam...90d5da78d868f57c84197689287?environmentId=100
Contacted Hosts
47.91.107.213
3] https://www.hybrid-analysis.com/sam...760a22b8df9967b99b0aa050387?environmentId=100
Contacted Hosts
107.180.14.32
47.91.107.213
4] https://www.virustotal.com/en/file/...9ae319c75fe6909c60e10496/analysis/1494844454/
5] https://jbxcloud.joesecurity.org/analysis/271421/1/html
ecuamiaflowers .com: 107.180.14.32: https://www.virustotal.com/en/ip-address/107.180.14.32/information/
> https://www.virustotal.com/en/url/b...b512dfbef4e5247fd11f2cc9eee13685814/analysis/
h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-address/47.91.107.213/information/
> https://www.virustotal.com/en/url/5...006e0932e61f0be7c39857f883ed3b42c85/analysis/
:fear::fear:
Last edited: