PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

Re:How does it work?

[The+MAZZTer]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

Ports 445 exposed to the internet

[Okian+Warrior]

You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.

If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.

...it's a good idea to patch the system, though. Get the patch here.

Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.

TFA slightly overblown

SMB not allowed thru windows firewall by default
Most users behind NAT/SPI
All rational ISPs block SMB

SMB worms are quite useful for spreading laterally within local networks after some mental giant (e.g. C-level exec) in your organization clicks the wrong email.

Pretty much DOA elsewhere where your just whacking clueless outliers.

Re:TFA slightly overblown

[Luckyo]

Pretty much this. The hysteria has been laughable. This hits the organisations with large intranets where some idiot gets infected, and functions as an initial infection source, while intranet that actually has SMB enabled to mount network disks and printers is an excellent vector. Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over.

Re:How does it work?

It's been a good practice to not expose SMB ports (445, 139 etc.) to the open Internet for two decades at least, IMHO. I remember than in 1996 (if I remember correctly) I accidentally exposed a NT3.51 machine and my ISP called to warn me.

Re:How does it work?

[benjymouse]

You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.

Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.