Hello, welcome to the Monday, Main 15th, 2017 edition of the Sansandet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from San Diego, California.

On Friday, the ransomware warm Wanna Cry or Wanakrip started to spread rapidly across some large organizations worldwide.

It is unclear if it originally was ceded to these organizations via email,

or if it just spread using the S&B version, One Eternal Plurul vulnerability.

But either way, it's rapid propagation inside corporate networks

can be attributed to the use of the Eternal Blue exploit.

This exploit was released mid-April by Shadowbroker,

who allegedly stole the exploit from the NSA.

Microsoft had originally released a patch for this vulnerability in March as MS-1710

for currently supported versions of Windows.

On Friday, however, Microsoft also released a patch for older versions of Windows going back to Windows XP and 2003 server.

We also saw a significant increase in Port 445 scanning around the time the ransomware started to spread, but it isn't really clear if this was the cause or the effect of the warm spreading.

Just like other ransomware, Wanna Cry will encrypt files and display a screen instructing users to pay a ransom via Bitcoin, encrypted files will use the extension WN

Cry, which led to the Malaver being named with Wanna Cry or Wanna Crypt.

In addition to encrypting files, the Malver then spreads to other systems using either the S&P version 1 vulnerability

or existing remote desktop connections. The malware also installs a double pulsar backdoor,

which was also included in this shadow broker release from April.

Ransom demands start at $300 and increase after a few days to $600.

It is not clear if ransom payments will result in obtaining a decryption key.

The process is somewhat manual and convoluted.

After paying the ransom, the victim has to contact the miscarience during limited business hours and to request a key.

The key is then handed to the victim once payment is confirmed.

...