1  Abstract

Since May 12, 2017, the worm malicious code spread based on Windows has burst globally. Hackers initiated this cyber attack by reconstructing the ETERNALBLUE program in the leaked NSA's arsenal of Windows hacking  tools. Computers may be attacked as long as users open them and access the Internet.

Through timely analysis, Huawei WeiRan Lab confirmed that this ransomware was of a new type and named it WNCRY. This ransomware is with the worm nature and spread by exploiting the SMB vulnerability CVE-2017-0144 through port 445.

Though Microsoft released a service pack in March 2017 against this vulnerability, the service pack was not drawn much attention. Many computers with the Windows OS did not have this service pack installed, leaving a chance for the large-scale attack burst. Users can follow the recommendations in this article to do security protection measures in a timely manner, and repair system vulnerabilities and reduce losses.

2  Impact

The ransomware WNCRY can encrypt most types of files on computers, even executable files. The file name extension of a file encrypted by the ransomware is changed to WNCRY. The encrypted file header contains WANACRY.

Once the file is encrypted, there is no free and effective means of recovery. Like other ransomware, WNCRY decryption still requires expensive bitcoin. However, even paying Bitcoin attackers may not be able to honor the promise of document decryption.

3  Protection advice

3.1  Universal protection scheme

1. Microsoft official has released the relevant patch, please install as soon as possible, the URL is https://technet.microsoft.com/zh-cn/library/security/MS17-010. For users who cannot update the patch in time, consider the following methods for port shutdown.

2. Close ports 445, 135, 137, 138, and 139 to disable network sharing and reduce the possibility of attack.

3.2  Huawei customer protection solution

3.2.1  Huawei NGFW user: update IPS signature

During attack initiation or spread, the virus exploits multiple Windows SMB remote code execution vulnerabilities (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148). The IPS signature database had extracted the related signatures on April 16 to detect the exploitation of such vulnerabilities. The following table lists the mappings between signature IDs and vulnerabilities.

The following screenshot shows the record of some detected attacks.

Huawei released the latest IPS signature database on its update website sec.huawei.com on April 16, 2017. And the newest update cover those signature too.

3.2.2  Huawei Firehunter users: Interwork with Firewalls to Defend Against Unknown Threats

Huawei sandbox FireHunter6000 is a high-performance APT detection system. By using virtual execution and multidimensional threat analysis technologies, the FireHunter6000 can effectively detect attack samples and accurately identify ransomware malicious code.

As shown in the following screenshots, Huawei sandbox FireHunter6000 accurately identifies the bait files used by the ransomware to modify the virtual execution environment. 

Huawei FireHunter6000 can detect mainstream file types and analyze real-time behavior to detect abnormal file behavior based on reputation scanning. After identifying attack samples, the sandbox can interwork with firewalls to defend against attacks on network egresses.

Appendix: Configuration guides

Scene 1

        If client has NGFW device and activated IPS license, before going to setting this policy, make sure ngfw have updated the latest IPS signature database. You can get the database from sec.huawei.com. Following configure process tell how to block the “eternal blue” attack.

          1.  Login to NGFW：

2.  Set intrusion Prevention policy In object menu, you can alter old one or create a new one by yourself：

3.  In this example, we show how to add blocked signature based on edit old ips profiles. You need add signature that id match 18822,370090,372080,24550,13830,372300,372280,372110,372130,284600,372130,372290, and set them to blocked state. You need and all those signature one by one.

    4.  Commit and save the profile configuration.

Scene 2

      Client who don’t have ngfw device or not activate IPS license can setting a packet filter policy to stop “eternal blue” attack by stop visiting port 445.

  1.  Login to FW, and navigate to service setting page and add a new service.

2.  Named the created service and in the protocol list, add a protocol setting, and set the destination port to 445. The click ok.

3.  And new security police in policy-> security policy.

4.  Refer to the service create before and set action to deny.

5.  Make the new edited policy to be highest priority by move it to top line.

6.  Save configuration.

Scene 3

Client who already have huawei firehunter and ngfw can make them work together to stop sample transmit:

1.  configure firehuenter.

2.  configure ngfw：

Scene 4

     Users can also block this attack by setting policy in windows pc：

  1.  open firewall in windows control panel -> firewall

2.  l  open advanced settings

3.  add block rules