The Latest on WannaCry, UIWIX, EternalRocks and ShadowBrokers
Credit to Author: Jon Clay| Date: Wed, 24 May 2017 13:22:58 +0000
Ransomware has gained global attention over the course of the last two weeks due to the huge spread of WannaCry. Following the initial attacks, we’ve seen UIWIX, Adylkuzz and now EternalRocks come onto the scene leveraging the same core set of vulnerabilities.
The common thread between the three threats is MS17-010 along with other tools and vulnerabilities released by Shadow Brokers. These attacks are not only exploiting vulnerabilities in systems, but also taking advantage of fundamental struggles faced by all organizations with patch management and system upgrades. Let’s look at the impact and consider why these threats are occurring.
But first, here’s a quick look at the comparison between WannaCry, UIWIX and EternalRocks:
| WannaCry | UIWIX | EternalRocks | |
| Attack Vectors | SMB vulnerabilities (MS17-010), TCP port 445 | SMB vulnerabilities (MS17-010), TCP port 445 | SMB vulnerabilities (MS17-010), five vulnerabilities and two tools, TCP port 445 |
| File Type | Executable (EXE) | Dynamic-link Library (DLL) | Executable (EXE) |
| Appended extension | {original filename}.WNCRY | ._{unique id}.UIWIX | N/A |
| Autostart and persistence mechanisms | Registry | None | Scheduled Tasks |
| Anti-VM, VM check, or anti-sandbox routines | None | Checks presence of VM and sandbox-related files or folders | None |
| Network activity | On the internet, scans for random IP addresses to check if it has an open port 445 (Propagation); connects to .onion site using Tor browser (C&C Communication) | Uses mini-tor.dll to connect to .onion site (its C&C) to send encrypted information and gathered information (C&C communication) | On the internet, scans for random IP addresses to check if it has an open port 445 (Propagation) ; connects to .onion site using Tor browser (C&C communication) |
| Exceptions (doesn’t execute if it detects certain system components) | None | Terminates itself if found running in Russia, Kazakhstan, and Belarus | N/A |
| Exclusions (directories or file types it doesn’t encrypt) | Avoids encrypting files in certain directories | Avoids encrypting files in two directories, and files with certain strings in their file name | N/A |
| Network scanning and propagation | Yes (worm-like propagation) | No | Yes (worm-like propagation) |
| Kill switch | Yes | No | N/A |
| Number of targeted file types | 176 | All files in the affected system except those in its exclusion list | N/A |
| Shadow copies deletion | Yes | No | N/A |
| Languages supported (ransom notes, payment site) | Multilingual (27) | English only | N/A |
The impact
At last count, WannaCry alone had infected 230,000 users in some 150 countries. Given the massive spread and variety of these malwares, however, the payout so far has only been about $110,000. This demonstrates that the largest impact wasn’t financial, but physical. Organizations in some industries, including healthcare, were forced to shut down their systems to stop the malware propagation. This brings a digital threat into the physical world and gives real world impact to these attacks.
However, EternalRocks doesn’t drop any malicious payload. Despite leveraging five vulnerabilities and two reconnaissance tools, it doesn’t leave any malicious content behind. It does leverage the DoublePulsar exploit which allows a backdoor into the infected system, likely for later use by the threat actors.
Why are they doing it?
When threat actors get into a system and don’t drop a malicious payload, it brings up the potential that they’re leaving behind something else in turn. It’s possible that the attackers are preparing the network for future use. It could also be a distraction while other vulnerabilities are being exploited while no one is watching.
The first line of defense for all of these threats is to patch your systems against all of the vulnerabilities disclosed by ShadowBrokers. Trend Micro offers a variety of solutions, support and tools to help organizations protect against and respond to these threats. Learn more about the latest threats and how to prepare on today’s webinar at 12 p.m. Central time.