PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

Ports 445 exposed to the internet

[Okian+Warrior]

You can get it either by a) exposing port 445 to the internet, or b) exposing port 445 to a computer on your local subnet that's infected.

If you have no other computers running windows on your local net, and if your network connection doesn't allow port 445 through, you should be safe.

...it's a good idea to patch the system, though. Get the patch here.

Port 445 is SMB ("samba" over in linux world), which is used to mount remote disks and printers (and some other things). There's really no need for a user to expose this port to the internet unless you want to mount a disk remotely over the internet, which is not something a user would ordinarily need.

TFA slightly overblown

SMB not allowed thru windows firewall by default
Most users behind NAT/SPI
All rational ISPs block SMB

SMB worms are quite useful for spreading laterally within local networks after some mental giant (e.g. C-level exec) in your organization clicks the wrong email.

Pretty much DOA elsewhere where your just whacking clueless outliers.

Re:TFA slightly overblown

[Tetch]

Home users overwhelmingly sitting behind their router NATs and firewalls have no exposed SMB port access for worm to propagate over

... although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.

http://www.networkworld.com/article/2228449/microsoft-subnet/ipv6-addressing--subnets--private-addresses.html:

the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses

So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.

Re:See?

[gnasher719]

Actually, if they have only three wallets and therefore cannot know who has paid and who hasn't paid, that means clearly that they are not going to unlock anything, no matter whether someone pays a ransom or not.

I suggest a million dollar reward to find the bastards, and then send the SAS around.