How to remove Wannacry Ransomware fixes from Microsoft

As you are all aware of the new ransomware has been used in the massive hacking attack, affecting tens of thousands of computers worldwide.

If any of the staff/User receive any suspicious emails and if you are not sure, please do not open any attachment files. Just forward it to your Admin for further investigation.

How to identify suspicious email:

  1. Unsolicited or unexpected email
  2. High importance emails
  3. Unofficial “From” email address
  4. Link to fake web sites
  5. Message asks for personal information
  6. The email urge you to take immediate action
  7. Review the signature
  8. Be wary of other methods to identify a legitimate site

Wannacry Ransomware fixes from Microsoft. Do update ASAP and share with others.

Windows XP SP3: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

Windows Vista x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu

Windows Vista x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 7 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 7 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu

Windows 8: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu

Windows 8.1: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 10: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu

Windows 2003 x86: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe

Windows 2003 x64: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Windows 2008: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 2008R2: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 2012: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu

Windows 2012R2: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 2016: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu


What is Ransomware?

Ransomware is malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named ‘Wannacry’ has been affecting the computers worldwide creating the biggest ransomware attack the world has ever seen. This has affected computers in India also.

What is WannaCry Ransomware?

WannaCry ransomware attacks windows based machines. It also goes by the name WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware. All versions of windows before Windows 10 are vulneable to this attack if not patched for MS-17-010. After a system is affected, it encrypts the files and shows a pop up with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

How it spreads?

It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. It is also capable of automatically speeding itself in a network by means of a vulnerability in Windows SMB. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network.

What can you do to prevent infection?

Microsoft has released a Windows security patch MS17-010 for Windows machines. This needs to be applied immediately and urgently.

Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments. Ø Block ports 139, 445 and 3389 in the firewall.

Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.

SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK

Make sure your software is up-to-date.

Have a pop-up blocker running on your web browser.

Regularly backup your files.

Install a good antivirus and a good antiransomware product for better security

Below is a consolidated list that needs to block on your firewall/antivirus

IPs to Block

16.0.5.10:135

16.0.5.10:49

10.132.0.38:80

1.127.169.36:445

1.34.170.174:445

74.192.131.209:445

72.251.38.86:445

154.52.114.185:445

52.119.18.119:445

203.232.172.210:445

95.133.114.179:445

111.21.235.164:445

199.168.188.178:445

102.51.52.149:445

183.221.171.193:445

92.131.160.60:445

139.200.111.109:445

158.7.250.29:445

81.189.128.43:445

143.71.213.16:445

71.191.195.91:445

34.132.112.54:445

189.191.100.197:445

117.85.163.204:445

165.137.211.151:445

3.193.1.89:445

173.41.236.121:445

217.62.147.116:445

16.124.247.16:445

187.248.193.14:445

42.51.104.34:445

76.222.191.53:445

197.231.221.221:9001

128.31.0.39:9191

149.202.160.69:9001

46.101.166.19:9090

91.121.65.179:9001

2.3.69.209:9001

146.0.32.144:9001

50.7.161.218:9001

217.79.179.177:9001

213.61.66.116:9003

212.47.232.237:9001

81.30.158.223:9001

79.172.193.32:443

38.229.72.16:443

 

Domains:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Rphjmrpwmfv6v2e[dot]onion

Gx7ekbenv2riucmf[dot]onion

57g7spgrzlojinas[dot]onion

xxlvbrloxvriy2c5[dot]onion

76jdd2ir2embyv47[dot]onion

cwwnhwhlz52maqm7[dot]onion

 

File Names:

@[email protected]

@[email protected]

@[email protected]

Please Read Me!.txt (Older variant)

C:\WINDOWS\tasksche.exe

C:\WINDOWS\qeriuwjhrf

131181494299235.bat

176641494574290.bat

217201494590800.bat

[0-9]{15}.bat #regex

!WannaDecryptor!.exe.lnk

00000000.pky

00000000.eky

00000000.res

C:\WINDOWS\system32\taskdl.exe


WannaCry 3.0 Ransomware
[Updated] WannaCry 3.0 Ransomware is now infecting systems worldwide. Reports suggest WannaCry links to Lazarus Group and the origin of attack was North Korea. Read this report now to find out more about WannaCry 3.0 and the similar codings (Contopee) of Lazarus Group. This group was responsible for the attack on Sony Pictures & a robbery of $81M on a Bangladeshi Bank in 2014!

Thanks to Marcus Hutchins who stopped the wave of WannaCry Ransomware by providing the decryption key! But is this going to be enough? Is this going to stop the cyber criminals from trying something new? NO! It’s not enough! WannaCry 3.0 is already on the roll and it seems like WannaCry 2.0 was just a test to know the working of latest version!

Camaeio founder, Matthieu Suchie has spotted the latest version of WannaCry Ransomware which was not spotted by Kaspersky Lap. This latest version was found from the newly infected system which was a “Kill Switch Version.”

Useful link if you infected:


Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecsvc.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasksche.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhsvc.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wcry.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\111.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lhdfrgui.exe]
"Debugger"="taskkill /F /IM "

http://blog.trendmicro.com/trendlabs-security-intelligence/massive-wannacrywcry-ransomware-attack-hits-various-countries/

http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html

Live attacks: http://map.norsecorp.com/#/

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *