HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space SECUREPC space Facebook space Twitter
csk
Line
Full Member FIRST
Line
Full Member APCERT
Line
Global Research Partner APWG
Line
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Authority
Line
point point Press  
Line
point point Recruitment NEW
Line
point point Tender  NEW
Line
point point Download Brochure
Line
point Subscribe Mailing List
Line
point Contact Us
Line
Reporting
point
Incident Reporting
Line
Vulnerability Reporting
Line
Feedback
Line
KnowledgeBase
Line
Point Guidelines
Line
Point Presentations
Line
Point White Papers 
Line
Point Monthly Security Bulletin 
Line
point Point Annual Report 
Line
Line
Line
line
Line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point Security Sites
line
point Security Tools
line
point Antivirus Resources
line
FAQ
line
Archive
line
line
line
Line
Line
line
line
line
line
line
line
line
line
spacer
Home - Current Activities
point

CURRENT ACTIVITIES

Wannacry / WannaCrypt Ransomware - CRITICAL ALERT
(May 13, 2017) (Updated : May 14, 2017)
It has been reported that a new ransomware named as "Wannacry" is spreading widely. Wannacry encrypts the files on infected Windows systems. This ransomware spreads by using a vulnerability in implementations of Server Message Block (SMB) in Windows systems. This exploit is named as ETERNALBLUE.

The ransomware called WannaCrypt or WannaCry encrypts the computer's hard disk drive and then spreads laterally between computers on the same LAN. The ransomware also spreads through malicious attachments to emails.

In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.

After infecting, this Wannacry ransomware displays following screen on infected system:



It also drops a file named !Please Read Me!.txt which contains the text explaining what has happened and how to pay the ransom.

WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:

The file extensions that the malware is targeting contain certain clusters of formats including:
  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers" sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

Indicators of compromise:

Ransomware is writing itself into a random character folder in the "ProgramData" folder with the file name of "tasksche.exe" or in "C:\Windows \" folder with the file-name "mssecsvc.exe" and "tasksche.exe".

Ransomware is granting full access to all files by using the command:
Icacls . /grant Everyone:F /T /C /Q

Using a batch script for operations:
176641494574290.bat

hashes for WANNACRY ransomware:

  • use endpoint protection/antivirus solutions to detect these files and remove the same


Network Connections

The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:
  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion


Note: For update on latest Indicators of Compromises, please see references to security vendors given in references section

Specific Countermeasures to prevent Wannacry/WannaCrypt Ransomware:

Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection/ attacks:
  • In order to prevent infection users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
[More >>]
Beware of Pokemon Go fake Malicious Apps
(July 28, 2016)
It has been observed that the fake "Pokemon Go" malicious apps are available on third party websites for download.
[More >>]
Logjam attack in TLS Protocol
(May 25, 2015)
An attack method known as Logjam attack could allow a remote attacker to perform a Man-In-The-Middle (MiTM) attack to  downgrade vulnerable TLS connections, bypass security restrictions, and gain access to sensitive information  from targeted systems.
[More >>]
Man-in-The-Middle (MiTM) attack in SSL/TLS implementations
(March 07, 2015)
An attack method known as Factoring RSA Export Keys (FREAK) could allow a remote attacker to perform a man-in-the-middle (MiTM) attack, bypass security restrictions, and  gain access to sensitive information.
[More >>]
D4re|Dev| targeting Mass transit systems and E-Kiosks
(December 08, 2014)
It has been reported that a new point of sale systems malware, dubbed "D4re|Dev"a.k.a  "DareDevil" targeting Mass transit systems is spreading. The malware mainly infect the machines used as public transport ticket vending machines or the interactive Kiosks. The attacker may gain the initial access due to the inadequate internal security policies such as weak passwords along with the use of the POS systems for other activities including web surfing, email accessing, games, accessing social networking sites etc. Once an initial access is gained, then attacker can upload other backdoors using the malware┐s "Remote File Upload "functionality. These backdoors run under the processes named "hkcmd.exe", "PGTerm.exe"and other legitimate processes of Google Chrome in order to bypass security restrictions and remain undetected. Successful compromise of the infected system gives full access of the infected system to the remote attacker.
[More >>]
Havex Malware targeting ICS/SCADA control systems
(July 02, 2014)
It has been reported that an industrial information stealing malware, dubbed Havex, is targeting ICS based systems by leveraging OPC protocol implementation. OPC is OLE for communication / Open platform communication - a standard for windows applications to communicate to process control hardware and transfer process data between systems from different vendor.
[More >>]
Gameover aka Zeus-P2P malware surge
(March 11, 2014) (Updated : June 03, 2014)
It has been reported that "GameOver" malware aka Zeus-P2P is surging with new tactics techniques and procedures (TTP). GameOver malware is the incarnation of the information stealing banking malware Zeus/ Zbot imbibed with Peer-2-Peer capabilities to communicate with the C2 server, majorly distributed through Cutwail spam bot.
[More >>]
Attacks through SSHD root kit targeting Linux Systems
(March 11, 2013)
It has been reported that a USER-mode root kit is in the wild targeting major Linux flavors (majorly RPM based) which logs user names and password pairs that are sent to the network and sent across the attacker controlled domains┐ randomly generated- and additionally opening a backdoor onto the system.
[More >>]
Bamital Botnet (Search Hijacking and Click Fraud Scams)
(February 11, 2013)
It has been observed that Trojan Bamital is propagating widely. Bamital is a click-jacking trojan which modifies the search results and redirect users to advertisement links. Microsoft and Symantec announced the takedown of Bamital botnet early this month by identifying and shutdown the vital components of the Bamital botnet.
[More >>]
Android Trojan infecting PC's connected through USB connected smart Phones.
(February 08, 2013)
It has been observed that an Android malware capable of infecting the connected PCs is available in the Android Markets.
[More >>]
Skype bogus messages spreading Dorkbot
(October 19, 2012)
A malicious spam campaign is on the rise targeting Skype users by sending instant message which  appears to come from friends in the Skype contact list. The message generally resembles like the one below with the links generally include a shortened goO.gl link to a zip file hosted by Hotflie.com.
[More >>]
Active exploitation of Java Vulnerability (CVE-2012-1723)
(August 08, 2012)
It has been reported that a significant malware propagation is rampant through spam e-mail messages and drive-by-downloads leveraging a recently disclosed Java vulnerability (CVE-2012-1723).
[More >>]
DDoS attacks on Indian websites
(May 23, 2012)
It is observed that some hacker groups are launching Distributed Denial of Service attacks on websites of Government and private organizations in India. The attacks may be targeted to different websites of reputed organizations.
[More >>]
DNS Changer Malware
(February 22, 2012)
It has been observed that a malware called as DNS Changer Trojan which changes the DNS server entries in the computer systems and ADSL /VoIP router (home gateway devices)  is widely propagating.
[More >>]
Malicious PDF in the pretext of Kim Jong Ill Death
(December 26, 2011)
It has been observed that a spam campaign in the pretext of death of North Korean leader "Kim Jong Ill" is making rounds for malware propagation. The malicious spam mails are attached with spurious pdf file named "brief_introduction_of_kim_jong_Ill_pdf.pdf".
[More >>]
Previous   |  Next >>
point
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On July 27, 2017