WannaCry

If you go back about a decade , there were some fairly high-profile incidents -- cases like NotPetya and WannaCry -- where various companies from different parts of the world were impacted by these propagating events.

MOVEit customers found themselves the victim of an actively exploited zero-day vulnerability, since tracked as CVE-2023-34362.

One NHS worker, who asked to remain anonymous, said the attack began at about 12.30pm and appeared to have been the result of phishing. “The computers were affected after someone opened an email attachment.

The response to cyberattacks such as the “WannaCry” worm could have been held up in export control paperwork for days, if not weeks, as would any other vulnerability disclosure or incident response in which command and control software or technical analysis of that software, were to cross a country’s virtual or physical border.

The malware’s current working directory is saved to the “wd” registry value under the \SOFTWARE\WanaCrypt0r key... If WCry is running with elevated privileges, the key is created in the HKLM registry hive; otherwise, it is created in the HKCU hive.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

WCry creates a registry Run key value (see Figure 5) to ensure the ransomware GUI is displayed when victims log in or restart the computer.

Hackers exploited vulnerabilities in outdated systems to encrypt critical data.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

WCry creates a registry Run key value (see Figure 5) to ensure the ransomware GUI is displayed when victims log in or restart the computer.

Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.

Upon starting, the worm attempts an HTTP connection to www . iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea . com. If the connection is successful, then the worm stops running and exits. The threat actors may have added this HTTP connection test to prevent automated sandboxes from running and analyzing the malware.

Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.

The malware’s current working directory is saved to the “wd” registry value under the \SOFTWARE\WanaCrypt0r key... If WCry is running with elevated privileges, the key is created in the HKLM registry hive; otherwise, it is created in the HKCU hive.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

Scanning for Targets: Once executed, WannaCry scans local networks for vulnerable devices, attempting to exploit them without user interaction.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Upon starting, the worm attempts an HTTP connection to www . iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea . com. If the connection is successful, then the worm stops running and exits. The threat actors may have added this HTTP connection test to prevent automated sandboxes from running and analyzing the malware.

Connections made on port 445 (SMB).

WannaCry, for example, took advantage of the EternalBlue vulnerability in outdated versions of Windows' Server Message Block protocol.

WannaCry stays well separated on the strength of its SMB-based spread.

One method is communicating directly with IP addresses instead of domains, making it harder for security tools to collect information about a connection.

WCry installs the Tor network anonymity software on the infected system... Tor establishes a SOCKS5 proxy server on the loopback interface (127.0.0.1) that listens on TCP port 9050. WCry connects to this proxy and attempts to contact the configured C2 hidden services.

The SMB worm delivers itself to the compromised system as a DLL file payload. After the DLL is executed with a single exported function named PlayGame, it writes a copy of the original SMB worm to C:\Windows\mssecsvc.exe and then executes this file. The SMB worm then drops a secondary payload from its resources section to C:\Windows\tasksche.exe and executes this file.

Unrecognized IP addresses, outbound data transfers, and sudden bandwidth spikes can be early signs of cyber infiltration.

The WannaCry ransomware attacks have received extensive coverage since a widespread attack on May 12 caused the systems of many large organizations around the world... to come to a juddering halt.

WCry terminates several services so that their data stores can be encrypted: taskkill.exe /f /im mysqld.exe ... sqlwriter.exe ... sqlserver.exe ... MSExchange* ... Microsoft.Exchange.*

WCry executes the following single command... to complicate system and data recovery... vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

you had a situation where these companies were on the hook for hundreds of millions of dollars, where they couldn't function for a certain amount of time.