WannaCrypt ransomware worm targets out-of-date systems


On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.

Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.

In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.

Attack vector

Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

WannaCrypt’s spreading mechanism is borrowed from well-known public SMB exploits, which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

We haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:

  • Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
  • Infection through SMB exploit when an unpatched computer is addressable from other infected machines

Dropper

The threat arrives as a dropper Trojan that has the following two components:

  1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
  2. The ransomware known as WannaCrypt

The dropper tries to connect the following domains using the API InternetOpenUrlA():

  • www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.

In other words, unlike in most malware infections, IT Administrators should NOT block these domains. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.

wannacrypt1

The threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:

Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”

wannacrypt2

WannaCrypt ransomware

The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”.

When run, WannaCrypt creates the following registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe”
  • HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”

It changes the wallpaper to a ransom message by modifying the following registry key:

  • HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”

It creates the following files in the malware’s working directory:

  • 00000000.eky
  • 00000000.pky
  • 00000000.res
  • 274901494632976.bat
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.bmp
  • @WanaDecryptor@.exe
  • b.wnry
  • c.wnry
  • f.wnry
  • m.vbs
  • msg\m_bulgarian.wnry
  • msg\m_chinese (simplified).wnry
  • msg\m_chinese (traditional).wnry
  • msg\m_croatian.wnry
  • msg\m_czech.wnry
  • msg\m_danish.wnry
  • msg\m_dutch.wnry
  • msg\m_english.wnry
  • msg\m_filipino.wnry
  • msg\m_finnish.wnry
  • msg\m_french.wnry
  • msg\m_german.wnry
  • msg\m_greek.wnry
  • msg\m_indonesian.wnry
  • msg\m_italian.wnry
  • msg\m_japanese.wnry
  • msg\m_korean.wnry
  • msg\m_latvian.wnry
  • msg\m_norwegian.wnry
  • msg\m_polish.wnry
  • msg\m_portuguese.wnry
  • msg\m_romanian.wnry
  • msg\m_russian.wnry
  • msg\m_slovak.wnry
  • msg\m_spanish.wnry
  • msg\m_swedish.wnry
  • msg\m_turkish.wnry
  • msg\m_vietnamese.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • TaskData\Tor\libeay32.dll
  • TaskData\Tor\libevent-2-0-5.dll
  • TaskData\Tor\libevent_core-2-0-5.dll
  • TaskData\Tor\libevent_extra-2-0-5.dll
  • TaskData\Tor\libgcc_s_sjlj-1.dll
  • TaskData\Tor\libssp-0.dll
  • TaskData\Tor\ssleay32.dll
  • TaskData\Tor\taskhsvc.exe
  • TaskData\Tor\tor.exe
  • TaskData\Tor\zlib1.dll
  • taskdl.exe
  • taskse.exe
  • u.wnry

WannaCrypt may also create the following files:

  • %SystemRoot%\tasksche.exe
  • %SystemDrive%\intel\<random directory name>\tasksche.exe
  • %ProgramData%\<random directory name>\tasksche.exe

It may create a randomly named service that has the following associated ImagePath: “cmd.exe /c “<malware working directory>\tasksche.exe””.

It then searches the whole computer for any file with any of the following file name extensions: .123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.

WannaCrypt encrypts all files it finds and renames them by appending .WNCRY to the file name. For example, if a file is named picture.jpg, the ransomware encrypts and renames the file to picture.jpg.WNCRY.

This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).

After completing the encryption process, the malware deletes the volume shadow copies by running the following command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

It then replaces the desktop background image with the following message:

wannacrypt-ransom-note

It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:

wannacrypt-ransom-executable

The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.

The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.

wannacrypt-decryptor

Spreading capability

The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.

wannacrypt-exploit

The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

wannacrypt7

wannacrypt8

Protection against the WannaCrypt attack

To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.

We recommend customers that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.

For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.

Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.

Monitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook.

Resources

Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

Download localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Customer guidance for WannaCrypt attacks: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

Indicators of compromise

SHA1 of samples analyzed:

  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • e889544aff85ffaf8b0d0da705105dee7c97fe26

Files created:

  • %SystemRoot%\mssecsvc.exe
  • %SystemRoot%\tasksche.exe
  • %SystemRoot%\qeriuwjhrf
  • b.wnry
  • c.wnry
  • f.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • u.wnry
  • taskdl.exe
  • taskse.exe
  • 00000000.eky
  • 00000000.res
  • 00000000.pky
  • @WanaDecryptor@.exe
  • @Please_Read_Me@.txt
  • m.vbs
  • @WanaDecryptor@.exe.lnk
  • @WanaDecryptor@.bmp
  • 274901494632976.bat
  • taskdl.exe
  • Taskse.exe
  • Files with “.wnry” extension
  • Files with “.WNCRY” extension

Registry keys created:

  • HKLM\SOFTWARE\WanaCrypt0r\wd

 

 

Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya (@tanmayg)
Microsoft Malware Protection Center (@msftmmpc)

 

 

Comments (106)

  1. Bob B. says:

    Thanks for this very informative write-up. A couple of questions that I have:
    1. The computers I manage are set up so that the users always operate as a standard user. They do not have the ability to elevate to administrator. For this specific malware, would operating as a standard user prevent either the encryption part or the worm part from functioning?

    2. I also have all web traffic directed thru a web proxy. Would a web proxy prevent this malware from functioning? The write-up only mentions one URL that is contacted, and that one, if successfully reached, PREVENTS the encryption from taking place. That seems like an unusual arrangement. Other ransomware contacts a host to download a unique encryption key, and if unsuccessful, cannot encrypt the user’s files. So if the malware is not able to find and use the web proxy, this would mitigate the effects. Does a web proxy mitigate the effects of WannaCrypt?

    1. msft-mmpc says:

      Hi, Bob.
      1. No, it would not. Due to the nature of the vulnerability being exploited, the worm mechanism will work even if the user is not signed in. The best solution is to patch.
      2. The malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.

      1. Mike Gardner says:

        The URL contacted by the worm is a sinkhole, which is a kill-switch, not a source of further input to the malware. https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

  2. Robert Carleton says:

    I’ve tried many ways to get an answer to the question: “Has my p.c. downloaded the protection against “Wanna Decrypt0r 2.0″?” and I get nothing in return except extended technical discussions that are way beyond anything I can even imagine. Why not provide a simple answer in a really easy-to-locate place?

    1. P. S. says:

      Hi Robert, this technical post is mostly directed at system administrators. The easy advise is to make sure your system is as up-to-date as possible and to install security patches when they become available.
      A hopefully easier article can be found on https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.00017eeq5n109mcufsatfm76hcu3l and also the article on https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ is easier than this one.

  3. Tim Miller Dyck says:

    Can you address attack effectiveness against Windows Server 2008 R2? This statement in the blog post is ambiguous if it refers to Windows Server 2008 R1 only. “The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.”

    1. msft-mmpc says:

      Hi, Tim. You can refer to Microsoft Security Bulletin MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) for the list of affected software.

      1. Nik says:

        To be honest, the reference to MS17-010 is confusing at best in my opinion. It lists all MS OSes up to Windows Server 2016 as critically vulnerable to CVE-2017-0145, but the vulnerability itself as not exploited. Would you please clarify/correct this (including an explanation for what’s the difference between 2008/7 and 2012/8/10 with regard to CVE-2017-0145) and also answer Tim’s question whether Server 2008 R2 is affected or not. Thanks!

        1. Liv says:

          I agree – 2008 is not the same as 2008 R2 and I’m still unclear if 2008 R2 can be exploited by WannaCrypt. To be clear, I completely understand that ALL versions of Windows have the vulnerability but there’s no point panicking if the ransomware (which is the cause of concern here) doesn’t work on newer versions. It’s not like this is the first time there’s being a critical vulnerability.

  4. mahelsay says:

    Thanks for this good article. bottom line is patch magmt is critical to any organization!.
    thanks also for the steps mentioned

  5. May I view the Windows7 patches that have downloaded and installed in my Dell desktop PC?

    1. Pls go to Control Panel > Programs and Features > View Installed Updates

  6. Thank you for providing IOCs–especially hashes.

  7. Stefan Kanthak says:

    As always, you forgot Software Restriction Policies, available in ALL editions of Windows since 15+ years.
    Use SRP alias SAFER to deny execution of every file unprivileged users can write/create, allow execution only for files installed by an administrator into the safe directories %SystemRoot% and %ProgramFiles%.
    See https://skanthak.homepage.t-online.de/SAFER.html
    BUT: beware of the loopholes!
    See https://skanthak.homepage.t-online.de/appcert.html

  8. Carlos C. says:

    Don’t appear patches for windows-7, from windows update catalog.

  9. Michael Koziewicz says:

    I just read an AP article that said: “Microsoft took the unusual step late Friday of making free patches available for older Windows systems, such as Windows XP from 2001. Before, Microsoft had made such fixes available only to mostly…” I have a couple of old XP systems in use. If the article is true, how can I down load the patch? Please advise

    1. here is the microsoft update catalog link to download patch for XP
      http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

      1. Mahesh says:

        I’m using win 10 version 1607 14393.1198, can you please help me with the patch which I should install to save my laptop

      2. Dangi says:

        I have 1 PC that refuse installing MS17-010:
        Win 10 version 1607 14393.1198, HP with AMD A10 processor x64.
        After downloading 3 MS17-010 KBs that should fit this machine, none of them install, I got same message that the patch is not for this version. (“KB4013198”, “KB4012606”, “KB4013429”).

        Running powershell Get-hotfixes show that the KBs are NOT present.

        As preventive measure:
        I disable SMB v1 protocol as per KB: HKLM\system\…..\lanmanserver\parameters, create DW SMB1: value = 0
        and block inbound port 445 in local PC firewall.

  10. Khaled says:

    that is very helpful but can you guarantee that windows 10 enterprise can’t be affected

    1. Jiri says:

      Hi Khaled! For Win10 can be (hopefully) guarranted, that ONLY THIS VERSION of WannaCry discussed here, does not attack win10 – perhaps by this malware design.
      You cannot rely, that any new version will not try to affect win10 also…

  11. blank says:

    To protect yourself, upgrade to Windows 10. This is stupid advice. Tell people to keep their Windows and Antiviruses up to date. Windows 10 sucks and if I could work with it, I would.

    1. blank2 says:

      You don’t seem to know what you’re talking about.

    2. ERR says:

      And where is my Betamax while we are at it?

  12. Alexander Thomas says:

    Important message to All Computer Systems Administartors

  13. Raffaele Rialdi says:

    Would you launch from a flying airplane just because someone tells you the parachute is on your back?
    Or you would rather want to see with your eyes that you really weared it and it is setup correctly?

    During an emergency, just running Windows Update on all the machine is not something that I am interested in.
    From this kind of articles I would expect a command line to have the *proof* the patch is there!
    Hint: the command line is: wmic qfe get hotfixid
    Which one should everyone verify?
    According to the bullettin there is a different KB for each OS version, this is not good.

  14. noneofyourbiz says:

    I WannaCry… MS massive fail… People HEALTH has been at stake because of YOUR greedy and irresponsible attitude towards legacy systems.

    What’s more, you KNEW it beforehand as you offered (after a great resistance) to give PAID support to some of the massive organizations that depend on XP… And now you want us to believe you are SOOOOO concerned about our well-being that you FINALLY deploy a patch for something you KNEW about in March?!?!?!?????! What’s more, you prove that when you decide to do it it takes just ONE f$%%?&*ing day to do it, why SO LATE?

    WOW! Thumbs up, greedy bastards, I can’t wait for a world where you simply disappear from the surface of this planet, you are an insult to humanity. Making billions on dollars of profit while evading taxes AND putting the health of human being in danger is simply bad, you know, as in good vs bad as any child on this planet would understand it…

    1. Ruaim says:

      The patch was released back in March. Unfortunately the patch was not deployed in many organizations

      Please can you be constructive in your comments next time? Your comment was totally pointless.

    2. Martin S. says:

      @noneofyourbiz — Thank you very much for your valuable comment. What’s wrong? Did someone rattle your cage?

    3. AF says:

      WOW, noneofyourbiz you greedy bastard for using a system that is 14 years old… FFS upgrade…FMFS Microsoft offered Windows 10 to every Windows XP\7 user for free for over a year and yet your failed to upgrade!

      1. Brad Lee says:

        Just a quick thing to say real quick. XP didn’t technically get a free upgrade to Windows 10.

        Then again, the fact that @noneofyourbiz uses XP still means he’s not getting patches. And Microsoft had notified people about this. He refuses to upgrade his system at the time of XP’s end of life was 13 years old. It’s been literal years since then so he doesn’t have an excuse to complain. The mere fact that Microsoft released an update for XP is pretty shocking because it’s such an old OS. It would be like patching a vulnerability in Windows 2000 in the year 2016, or patching a vulnerability in Windows 98 in 2014!
        If he’s not using XP and talking about people using legacy systems, that’s also absurd as 3 years is enough time to upgrade computers to at the very least, Windows 7.

        1. TheUglyTruth says:

          noneofyourbiz didn’t wrote that he uses XP. He only wrote that Microsoft is risking human life to be able to sell more Windows 10 licenses. And this is true!
          Yeah, you could free download Win10, when it was new and full of bugs, but this not an option for a company, especially if you have special software which is not running on Win10, because MS is not able to create a fully backward compatible OS. (No, XP mode is not really an option).
          Instead of creating a new start menu with each version of Windows, it would be more interesting to create a fast, secure, fully backward compatible OS, even if it the GUI looks like WinXP, Win98 or whatever! We don’t need new designs, we need a better operating system (than Win8, 8.1 and 10).
          There is a reason, why a lot of people (and companies too) are sticking on older Windows versions!

        2. Alan Schuh says:

          My 85 year old Mother uses Windows XP. She likes XP, understands XP, and sees no reason to buy another operating system, new hardware, new applications, and then try to learn all of them. She does not trust Microsoft.

          She is behind a very active firewall, and has learned best practices for internet use.

          1. Stefan Kanthak says:

            She doesn’t trust the maker of Windows XP, but uses this OS?
            Cognitive dissonance!

      2. milton f. says:

        windows 10 sucks big time

  15. Download Game Android Apk says:

    Is this stuff can attack windows 10 ?

  16. Jagan Jami says:

    Can you suggest steps if already attacked by wannacry ransomware?

  17. Still Fightingalosingbattle says:

    Press reports claim that many users do not update often enough or correctly, yet my 64-bit Windows 7 will NOT update correctly. It does not download or even run Update as it should. Your Update package does not work and I cannot get the various Update remediation fixes to install or work.

    1. msft-mmpc says:

      You can refer to our dedicated Support for Windows 7: https://technet.microsoft.com/en-us/windows/bb187457.aspx

  18. XP Mode User says:

    Like others, I can’t tell whether I’m protected. I have a patched WIn 7 system, but running XP Mode in a virtual PC. All my email comes through Outlook Express running under XP Mode.

    Am I protected using XP Mode with just a patched Win 7 system?

    1. msft-mmpc says:

      Make sure your virtual PC has all the required patches applied. Refer to the relevant KBs listed: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

  19. Matthew Maa says:

    Technically accurate, yet practically useless. When I get sick, I need a cure. When I am deadly sick, I need a cure fast. When someone tells me all the information how I get affected by the virus and how it break down different part of my body to the cellular level while I am dying, I would like to strangler the messenger.

    1. Matt S says:

      I think you misunderstand the purpose of this particular blog post then.

  20. Ricko says:

    Wow thanks for your time to create this post, this virus is booming in my country and national television talk about it too.

    And in my neighbourhood people talk about it, a lot of people look scared, even the old ladies who usually trash talk about celebrity gossip. lol.

    But I don’t know why, I’m cool, I never dealing with virus since maybe 2004 (at that time internet very expensive and I can’t afford it, so my antivirus rarely updated). Now, all of my softwares original, I didn’t use pirates software, I’m using paid premium antivirus, windows firewall active. I never open “bad” website, even I only open website using SSL.

    Windows 10 auto update, antivirus auto update, so I only need to drink my coffee, working, and forget about that ransomware.

    1. Alexander says:

      Yes, but sometimes users in large environments receive an email from “known” address with malicious code, and then you can imagine hell for the administrators.

  21. Arpan Thakrar says:

    Thanks for this good article. But it’s not true Windows 10 PCs are not affected by this attack. I found Windows 10 is also affected by this attack. Actually it’s more affected than Windows 7 & 8.

    1. Dasoman says:

      It says Windows 10 is not affected by the SMB exploit. It doesn’t say Windows 10 systems can’t be infected by running an infected e-mail attachment.

  22. Dickson Yau says:

    Look at the MS official article “Customer Guidance for WannaCrypt attacks”, it only mentioned MS making patch for the supporting Window systems and non supporting system with selective of Windows XP, Windows 8, and Windows Server 2003 only. They may not know that some utilities round the global still using Win NT or Win 2K. We not expect MS will provide patch for that, but at least they have the responsibility to exam and tell the user, whether their non supported system will be affected or not.
    As some customer may believe the old systems not be affected because they haven’t been mentioned in MS official site, but is it the truth?

  23. Mike K. says:

    > Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update.

    … alas as of 15th May, WSUS is still offering definitions 1.243.242.0 to machines using KB915517 (think that’s Defender for W7?)
    … but Defender also has its own, separate download/update mechanism, so hopefully that one is more up-to-date

  24. Andy S says:

    Is there a reason why you don’t offer the patch for Windows XP SP2 x86?

      1. milton f. says:

        no, there is no patch for xp-x32 sp2 on your link

      2. Deirdre G says:

        i have Microsoft home build 1703 x64 bit….do i need to install this MS17-010 on my pc….even though windows update says it up to date?

    1. Mike K. says:

      There is no patch for XP SP2 x86 because SP3 was released years ago plus many hotfixes on top which have dependency on SP3. There is no good reason to not have SP3.

      By contrast, XP x64 had no SP3, so Sp2 is the latest.

      1. milton f. says:

        yes, there is a good reason for not having sp3 it crashes my computer every time i tried to install it

  25. microinformatica says:

    Spanish localized security update for “Windows XP SP3 x86” and “Windows XP Embedded SP3 x86” links download the same file (WindowsXP-KB4012598-x86-Embedded-Custom-ESN.exe)
    When executed in “Windows XP SP3 x86”, claims “La versión de Windows instalada no coincide con la actualización que intenta instalar” (=”Windows installed version doesn’t match the update you’re trying to install”.
    So we can´t patch our system.

    1. Jesper says:

      @microinformatica – Exactly same thing is wrong with the danish version af XP SP3 x86. – It looks like MS i directing both links to the “embedded version”. I guess things has been happening fast at MS lately. – Try the download again, in a couple of days, to see it they’ve fixed it.

  26. Vince says:

    Is there a way to get some clarity on the Windows 10 not vulnerable statements.

    Is Windows 10 not vulnerable from RTM onwards (e.g. was never vulnerable?), or is it not vulnerable by default (is a component required for this vulnerability to work missing/not installed out of the box, or is it not vulnerable because of some other technology or change.

    Also, by “not vulnerable” I assume you’re referring specifically to the ability to replicate using the SMBv1 exploits – but it is vulnerable I assume and as far as I can see for local encryption (e.g. it can execute on a system and encrypt files on that PC, and/or shares it connects to via mapped drives etc), even if a Windows 10 machine cannot be exploited remotely via the SMBv1 attacks.

    Could you clarify please the specific scope and reason so people can fully understand the statement as it relates to Windows

  27. amin says:

    i am sure for Microsoft…just love LINUX

  28. amin says:

    L I N U X

  29. MegaMoon says:

    Is an unpatched Windows 10 or Windows 10 LTSB still vulnerable? Windows 10 LTSB are meant for those situations where patches are not applied that often.

    1. Mike K. says:

      People seem to be confused about this because they are not being clear about “vulnerable to WHAT, exactly”

      Windows 10 appears not to be vulnerable to the spread of the worm via SMB1 shares.

      Windows 10 IS vulnerable to an idiot who clicks on a random attachment, as are all systems.

      An unpatched 10 is vulnerable to many other attacks, if not this particular worm. Whether LTSB or not.

      LTSB is NOT aimed at “situations where patches are not applied that often.” It is aimed at situations where a stable feature set is more important than getting new features. LTSB should still be patched as promptly as your testing cycle allows.

  30. Jamie says:

    Is Windows RT affected by the attack?

  31. Sreeraj Nair says:

    For Windows 2008 Servers, are we protected if we have KB4012598 installed or do we need to be install the new superseding patch KB4018466 in order to be completely protected. I understand, installing the superseding patch would be recommended any day but my question is are we protected if we have KB4012598 on our servers and do not have KB4018466 yet.

    1. Derek D. says:

      Great question. MS could you please provide us with a response?

    2. Sreeraj Nair says:

      msft-mmpc, need your attention to this question Please

  32. gabriele says:

    Hi,
    I had the same trouble eith the italian verison.
    I found another link and it linked automatically for the italian version (WORKING). May be it check automatically for your language.

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

    1. microinformatica says:

      It worked for us. Thank you.

      Grande l’Italia !

  33. awesomizer1 says:

    I did not receive the Windows 10 Creators update, but I am running the latest definition of the Windows Defender.
    Any idea when W10 Creators Update will be rolled out completely?

  34. rob says:

    Interesting that Microsoft is blaming people for not installing their Windows security & recommended patches immediately. A major problem is that some of Microsoft’s security updates are corrupt and have caused many computers to crash. I know some IT people that won’t install Windows security patches for at least two to three weeks after Microsoft’s release. It seems that we not only need an antivirus program and a malware/ransomware programs on our computers, we need a anti-microsoft program to check and detect corrupt security updates before they are installed on our computers!
    I am trying to locate the KB numbers of the security patch released in March so I can check my computers. I am running Windows 8.1 Pro 64 bit.

    1. Bobby Q says:

      If people would have installed the patch after waiting 2-3 weeks after its release they would have been patched for the past 2 months and probably not have to worry as much about getting infected.

  35. Pr says:

    Looks like following conditions need to be met for this vulnerability to succeed:

    SMB Status
    Authentication: disabled
    SMB Version: 1

  36. Johnny says:

    After which stage of the virus exactly is the patch no longer effective? Obviously when files are already encrypted but also some steps before?

    1. Mike K. says:

      The patch IS effective and, once installed, remains effective at preventing the spread of the worm via SMB1 shares.

      However this does not address the question of how a computer on your network became infected in the first place. Most observers are assuming some sort of phishing attack. The patch is NOT effective against this and is not meant to be.

      My reading suggests that encryption of local files and network shares starts immediately after initial infection, with scanning for other vulnerable network hosts proceeding in parallel. One infected host could be enough to trash all your shares, regardless of whether hosts are patched.

      You also should have up-to-date-and-working anti-virus, perimeter defences and user education and backups! As always.

      And more backups! Off-site ones.

  37. Enrique says:

    “MS17-010” for Windows 7 x64 contains 2 updates “4012212” and “4012215” Which one fixes security problems in SMB

    1. Mike K. says:

      Both; but 2 months on, you might be better advised to apply the May 2017 Security Monthly Quality Rollup rather than the March one.

    2. Marc says:

      This article suggests there is a patch:
      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
      I’m running Vista on an older laptop for specific reasons – but I tried installing Security Essentials and it said the OS was not supported and protection is no longer working and I couldn’t update it. So tried updating defender – that won’t update either. So now I’ve tried the stand alone installer to get the March 2017 KB patch on as referenced in this article – but that has been running for an hour! So not only have we got buggy software but the usual Windows Update blues now won’t update!

  38. Enrique says:

    “MS17-010” for Windows 7 x64 contains “4012215” Monthly Rollup
    replaced with KB4015549
    which replaced with KB4019264
    Which has been replaced with KB4019264 and this last one now is in windows update at windows control panel.
    installing last Monthly Rollup KB4019264 does solves the problem?

    “MS17-010” for Windows 7 x64 contains 4012212 Security Only update which has much smaller download size and better for download
    does this smaller update (4012212 ) solves the SMB security problem?

  39. les says:

    I have one computer running XP SP2 x86 to run legacy programs. It never upgraded to SP3 because it was offline when XP was supported. It is now online but I can’t get SP3 from a trusted source. Is it vulnerable? If so how can I get SP3 so I can run the patch?

  40. Chris F. says:

    Will the security roll ups subsequent to the March roll up provide protection from the Wanna Crypt exploit? If I missed the March updates will the April updates provide the necessary protection from this exploit or should I apply the specific standalone update to my servers, and does this compromise any subsequent patches already installed?

    Thanks in advance

  41. MA AK says:

    Thanks for the guide…. But i still wondering that can the Wannacrypt virus infect the old version and the cracked versions of the windows 10? Any answers r appreciated…. Thanks once again…. 🙂

  42. dave says:

    Short question: does the SMB exploit involves transferring the dropper from one computer to the other, or was it just used to execute commands downloaded the ransomware from the web?

  43. Mike P. says:

    Thanks for the article.
    2 questions:
    1. Do files on connected file shares also get encrypted or just those on local disks.
    2. Are the files encrypted and written back as their original name before being renamed or does the encryption process input original file and output encrypted file with new extension and then delete original file. It is important as far as blocking the creation of the encrypted file.

  44. milton f. says:

    i am trying to download the fix for wanacrypt my system is running xp 32 bit sp2. my system would never upgrade to sp3—it would crash my computer. do i have any hope of getting the patch

  45. For all the warnings that Microsoft released several years ago to end users of Windows XP, when they decided to quit supporting Windows XP and older operating systems, I now find it funny that they are releasing security updates for it two and half years after they declared Windows XP end of life. This just goes to show that Microsoft could have still very much supported Windows XP and older operating systems, but chose not to and went after the money instead by forcing everyone to upgrade to Windows 8 at the time, which many older PC’s couldn’t run, including several of my old boxes. I do have one box that does run Windows 10, but I have to do so through the Windows Insider Program since I can’t afford a $119 user license.

  46. Robert says:

    Does KB4019264 May rollup contain the updates needed for this from the March rollup(KB4012215)? I am trying to use WSUS to push 4012212 and 4012215 and it will not install because it says its not applicable. But if I install manually on the same computer it will install. So does KB4019264 contain all the updates from the previous security rollups?

  47. Kevin B. says:

    So, does the referenced patches for Server 2003 x86/x64 not work on versions of Server 2003 R2? We’ve had the installs fail, as the files specifically reference either the x86/x64 versions of Windows Server 2003 or Windows Server 2003, Datacenter Edition from the Microsoft Update Catalog site.

    Thoughts?

  48. Carlos Rangel says:

    Great Article. It provides valuable information for systems administrators. Thank you for the time to produce it.

  49. Andrew says:

    why dont you make Windows 7 Defender to detect this virus? only Windows 10 Defender can detect it.

  50. Not A Shill says:

    For those who came in late, the discussion here reduces to:

    1. Useful links to elsewhere, where useful links exist

    2. If not, a conversation like this
    “Please help – I am running out of date software
    “If you had patched, you wouldn’t have this problem. You are morally deficient.
    “I had good reasons for not patching. Please help
    “Nope. We don’t help the morally deficient.
    “But moral deficiency is exactly why I don’t run Windows 10.

  51. Bill Martin says:

    Excellent reference…thx

  52. Corey Hudson says:

    This article fails to mention the timeline between when the infection takes place and when the message is displayed. Is it minutes, hours, days? If it minutes or hours, a person could recover from a backup. If it days, it could infect far more damage where a backup would lose its influence in a recovery.

  53. Bobby says:

    Can WannaCrypt attack a user if he doen not have administrator privileges?

  54. Alex says:

    Hello,

    Thanks for all this info
    I have RF devices working on windows CE are this mobile OS also impacted and not ?
    Can you confirm then those devices ae not infected because CE do not use SMB Protocol
    Thanks for you help

    1. joe says:

      All I can share is my experience. We have many of the wireless Windows CE handhelds and I scanned a few of them as a sample with Nessus and they were not vulnerable.

  55. Ed says:

    From what I read elsewhere, it stops Exchange, MS SQL, MySQL and Oracle databases.

  56. mooba says:

    Can WannaCrypt attack a user if he doen not have administrator privileges?

  57. Zach D says:

    Great technical deep dive and write up of this ransomware variant. I love the analysis work done here. Also, thank you to the Microsoft developers for creating and releasing an MS17-010 patch for the much older and unsupported operating systems such as Windows XP and Server 2003. I see so many of these systems running, even though they are well past their end of life. Again, keep up the great work!

  58. vivek kumar says:

    Thank’s for this blog sir , But As i analysis the sample of wannacry ransomware , it will left some of the txt and jpg file in pc , that file will show in Decrypt.exe GUI formate .

  59. Ioannis Vassilio Xylaras says:

    Hello guys, I would like to know why I can´t find security update about WannaCrypt attack for Windows Server 2003 R2. I have some customers with this SO version here in Brasil. They have a old app and can´t update SO verion. Is there some security package for this kind of SO ? I appreciate any info. Thank You. Best Regards. Ioannis V. Xylaras

  60. Ricardo says:

    I have 6 servers, 4 with win2008 server R2 and 2 with win2003, I updated succesfully the 4 win2008 servers, but the other 2 with win2003 I downloaded the patch, then install it, then restart the server, but now I cant log in on to the server, this is, I get the form to enter user and password, but always says it is incorrect, Do you have any idea about this situation? Is totally weird because happen in my 2 win2003 servers.

  61. daisy says:

    Une traduction en français, ce serait extra!

  62. Ricardo Carvalho says:

    Help Win10 version 1703 (“Creators”)… Need updates?

Skip to main content