MENU

 

The following information was obtained from the different cyber security sources and provided as a notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided is classified as Restricted pursuant to the PNP Regulation 200-012 on document security with impact rating of significant and threat rating of high, based on PNP Information and Communications Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

WannaCry Ransomware or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor is a ransomware program targeting Microsoft Windows and demanding ransom payments in the cryptocurrency bitcoin in 28 languages. It is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of critical Windows Server Messenge Block (SMB) vulnerability and one possible infection vector is via phishing emails.

The WannaCry ransomware is a loader that contains an Advanced Encryption Standard (AES)-encrypted Dynamic Link Library (DLL). During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL which is then loaded into the parent process, is the actual WannaCry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.The malware also attempts to access the InterProcess Communication (IPC$) shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, includingtemporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

To avoid this kind of ransomware, netizens should never click on unknown links or open any software downloads without first performing a virus scan. In addition, users should deny any User Account Control (UAC) request unless they are making modifications to their own system. Likewise, they should be cautious in visiting web pages with malicious code,for this will disallow the attacker to compromise through the infected system. It is best to install security software with warning signals for the detection of malicious software.

RECOMMENDATION

The community is advised to follow the best practices listed for securing and protectinginformation whether for personal use or for work:

• Back-up regularly and keep a recent backup copy off-site;
• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users;
• Ensure anti-virus and anti-malware solutions are updated and are set to automatically conduct regular scans;
• Enable automated patches for your operating system and Web browser; and
• Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.

For additional information, please refer to the following security websites:

• http://www.independent.co.uk/topic/wannacry
• http://edition.cnn.com/2017/05/14/opinions/wannacrypt-attack-should-make-us-wanna-cry-about-vulnerability-urbelis/
• http://www.telegraph.co.uk/technology/0/ransomware-does-work/

POINT OF CONTACT

Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5337.