Wannacry, SMB and the days to come

By now everyone in the world has heard about "Wannacry".

A ransomware that is exploiting "ETERNALBLUE" a vulnerability found in the NSA exploits released by the ShadowBrokers.

Post infection, the ransom asks for 300$ in bitcoin to have your files decrypted and after 3 days it goes up to 600$. If a week passes by, the ransomware threatens to delete the files.

A wave of infections started on Friday, affecting companies like Telefonica, Vodafone, BBVA but most importantly NHS in the UK. This meant that hospitals were losing access to their records, appointment systems, analysis results, etc...

Wannacry, Doublepulsar, preview of what is coming?

As you might have read, a couple of weeks ago BinaryEdge found close to 500.000 machines worldwide affected by Doublepulsar. An implant that was also found on the NSA stash.

What is interesting about this is that Doublepulsar also used same ports as SMB (port 139, 445).

So, in reality, those numbers were a preview of what was coming. Exposing SMB to the internet presents a real danger to organizations, combine that with lack of patching processes and you end up in the situation we are currently in with wannacry.

Even internally, organizations should have proper firewalling and segregation so in case one machine gets infected, it can't just spread to others on the network via those same ports.

During the weekend, using the BinaryEdge scanning platform, we have been monitoring the exposure of Microsoft products on port 445. Knowing that most companies lack a proper patching process, the numbers actually reveal that, even though, by luck, the first wave of wannacry didn't impact the world to its full potential - the second wave and following waves that will start today can be much worse.

Looking at those numbers and knowing "ETERNALBLUE" affects

  • Windows XP
  • Windows vista
  • Windows 7
  • Windows server 2008 and 2008R2
  • Windows 8.1
  • Windows Server 2012 and 2012R2
  • Windows 10
  • Windows Server 2016

and also taking into account these scans represent only what the BinaryEdge platform sees (perimeter/network edge), we have to wonder how the next couple of days are going to look like as there are bound to be a lot of machines on internal networks that are not updated.

In an ideal scenario, we should have seen these numbers go down a lot more during the weekend and hopefully much faster over the next weeks.

We already have scans running today to monitor the changes to these numbers and will update this blogpost later.

So what should we do as an organization/individual?

1 - Patch. Get you systems updated as soon as possible
1.1 - In the meantime check if BinaryEdge has seen your IP Address infected with Doublepulsar on the last weeks by visiting - https://www.binaryedge.io/doublepulsar.html

2 - In same organizations patching is hard, or takes time due to processes and bureaucracy. In that case, proper firewalling should be implemented. Segregate machines internally and don't expose port 445,139 and 3389 to the internet.

3 - If you're not sure if you're exposing these ports across your perimeter, talk to BinaryEdge - our platform is used by our customers to do fast scans across their perimeter and check for these services.

4 - Backups - have a backup process in place and test it. Just doing the backups without testing restoring from them isn't worth a lot as backups can get corrupted or not be working correctly.

5 - Do not open emails from strangers.