Initial Infection Vector
It is currently unknown at the time of writing (14 May 2017, 20:00 GMT) how the initial infection of an organization occurs with this strain of Ransomware. It is however, assumed to be likely spread in the same way as traditional malware, such as malicious websites, phishing emails or already infected hosts being brought onto an organization’s internal network.
One confirmed means of infection however, is via SMB services exposed to the internet, which is the same mechanism that the worm element of the Ransomware uses to spread on internal networks.
Internal Spread Vector
It is known that the ransomware contains a worm which facilitates the spread of the ransomware via the SMB service (445/tcp) on Windows hosts.
The ransomware is utilising an exploit for SMB called ETERNALBLUE, for which Microsoft has released a patch, MS17-010. The exploit works against all unpatched versions of Windows, except Windows 10 and Server 2016.
Once the ransomware has entered a network, it will spread quickly amongst hosts, as the SMB protocol is utilised heavily on internal networks for remote host management and file and printer sharing and is therefore very rarely filtered on internal networks.
Command and Control
Initial analysis performed by the information security community indicates that the ransomware communicates via the TOR protocol, first downloading Tor from the internet before communicating to the command and control servers.
Currently there are five known C&C domains:
An anonymous UK based security researcher identified a killswitch domain within the ransomware, which, when live, would be contacted by the ransomware at the initial execution. If the ransomware finds a live domain there, it halts the encryption or spreading capability of the ransomware. The researcher identified that the domain was not registered, and thus registered it to halt the spread.
It would appear that the attackers neglected to register the domain name, which would appear to be an oversight on their part.
The killswitch domain is:
This domain SHOULD NOT be blocked on external firewall devices or web filters, its reachability is paramount for halting the spread and infection.
The file extensions that the malware is targeting contain certain clusters of formats including:
- Commonly used office file extensions (.ppt, .doc, .xls)
- Less common and nation specific office formats (.sxw, .odt, .hwp)
- Archives and media files (.zip, .rar, .tar, .mp4)
- Emails and email databases (.emi, .msg, .ost, .pst)
- Database files (.sql, .ndb, .accdb, .odb)
- Developer source code (.php, .java, .cpp)
- Encryption keys and certs (.key, .pfx)
- Virtual machines (.vmx, .vmdk, .vdi)
The ransomware utilises multiple languages to explain the attack and payment methods.