- Feb 13, 2017
- 1,486
Here some basical steps about WCRY behavior and some tips.
1) You get the malware via social engineering attack, phishing mails, etc.
2) The malware installs itself on the PC taking advantage of the well-known EternalBlue flaw and puts mssecsvc.exe in the C:\windows directory.
3) It installs itself as a service, by proceeding to execute two activities in parallel, using different executables.
4) The first task is to encrypt certain types of files:
Wannacrypt0r-FACTSHEET.md · GitHub.
5) The second one will propagate the malware on any LAN by exploiting the vulnerability in the SMB protocol with the TCP ports 445 and 139.This second component also scans the network looking for new targets to infect via SMB port 445.
6) It runs in Ring 0, then it can potentially cause more damage compared just to the encryption activity.
When we refer to the level of privileges with which an application is executed, we use the term “Ring”. With “Ring 0” are identified the processes running in kernel-mode and with “Ring 3” the “user mode” applications (such as the browser).
When the CPU operates in kernel mode, it has access to all registers and the entire memory system.
In contrast, when the CPU operates in user mode, it is allowed to access only those memory areas that are usable in “user mode”.
The code that runs in kernel mode may have non-discriminatory access to all areas of the system, to be able to run programs.
7) It drops DoublePulsar backdoor.
Trying to defend yourself.
- Performing reliable backup to easily restore your systems and your data in case of encryption, is the essential step!
- Check for security Windows update released with security bulletin MS17-010, March 14, 2017
Microsoft Security Bulletin MS17-010 - Critical
- Needless to say, use good antivirus/security apps, there are so many posts here on MT.
- The ransomware initial vector spreads via phishing, therefore, do not open links/attachments from suspicious emails and scan them on VirusTotal.
- The ransomware attacks also network share and cloud backups, then update the copy of the backups and keep sensitive data isolated and offline.
Stay Safe
1) You get the malware via social engineering attack, phishing mails, etc.
2) The malware installs itself on the PC taking advantage of the well-known EternalBlue flaw and puts mssecsvc.exe in the C:\windows directory.
3) It installs itself as a service, by proceeding to execute two activities in parallel, using different executables.
4) The first task is to encrypt certain types of files:
Wannacrypt0r-FACTSHEET.md · GitHub.
5) The second one will propagate the malware on any LAN by exploiting the vulnerability in the SMB protocol with the TCP ports 445 and 139.This second component also scans the network looking for new targets to infect via SMB port 445.
6) It runs in Ring 0, then it can potentially cause more damage compared just to the encryption activity.
When we refer to the level of privileges with which an application is executed, we use the term “Ring”. With “Ring 0” are identified the processes running in kernel-mode and with “Ring 3” the “user mode” applications (such as the browser).
When the CPU operates in kernel mode, it has access to all registers and the entire memory system.
In contrast, when the CPU operates in user mode, it is allowed to access only those memory areas that are usable in “user mode”.
The code that runs in kernel mode may have non-discriminatory access to all areas of the system, to be able to run programs.
7) It drops DoublePulsar backdoor.
Trying to defend yourself.
- Performing reliable backup to easily restore your systems and your data in case of encryption, is the essential step!
- Check for security Windows update released with security bulletin MS17-010, March 14, 2017
Microsoft Security Bulletin MS17-010 - Critical
- Needless to say, use good antivirus/security apps, there are so many posts here on MT.
- The ransomware initial vector spreads via phishing, therefore, do not open links/attachments from suspicious emails and scan them on VirusTotal.
- The ransomware attacks also network share and cloud backups, then update the copy of the backups and keep sensitive data isolated and offline.
Stay Safe
Last edited:
