WannaCry ウイルスは生き残り、活動が増加しました, でも「予防接種」が怖くなった

ソフォスが WannaCry ランサムウェアの数万の亜種を発見, which caused a massive epidemic in 2017. WannaCry は生き残り、活動が活発化: two years later, the ransomware attacks continue and the number of vulnerable computers remains stably high.

The infamous WannaCry cryptographer that caused the global epidemic in May 2017, has not gone anywhere and is still attacking a huge number of machines around the world.

さらに, according to Sophos experts, it is active more than ever.

実際には, it is about the number of successful infections, but about millions of attempts. The problem is that WannaCry has a huge number of variations, and there are more and more of them. 現在まで, there are already 12.5 thousand variants of the original code. について 98% of recent detections occur in 2.7 thousand samples, which lack the very deactivation function, which made it possible to stop the epidemic in the spring of 2017.

WannaCry は生き残り、活動が活発化
Meanwhile, only in August 2019, Sophos defensive telemetry revealed 4.3 million WannaCry samples6963 variants. 5555 of them, that consists 80%, were not previously detected. In other words, the active development of new variants of the ransomware continues.

“A few people actually paid the ransom even though there’s no point in doing so. The crooks behind the relevant Bitcoin addresses aren’t monitoring payments or providing decryption tools”, — reports Sophos experts Peter Mackenzie.

Sophos experts, しかし, found that WannaCry has a feature that allows it to defend against it: some variants of the virus check the attacked system to see if it has been infected by WannaCry before and ignore it if they find signs of infection.

したがって, the computer can literally be “vaccinated” with the help of a neutralized version of WannaCry: active malware will ignore it. しかし, it is not known how much such protection will last.

“If patches are not installed on time, it is not always a private problem of the owner of vulnerable systems. When it comes to vulnerabilities that can be exploited by worms such as WannaCry, each device that is not updated in time becomes a source of threat to others, 」 – warn Sophos experts.

The key problem remains the abundance of computers in which the vulnerability used by WannaCry has not been fixed. It is worth recalling that the 2017 epidemic became possible because the ransomware used two exploits that leaked shortly before the events. These exploits were developed, according to the most common version, by the US National Security Agency: Eternal BlueDoublePulsar. エターナルブルー – to gain access to the system, DoublePulsarto install and run a copy.

こちらもお読みください: 研究者が発見した 125 の脆弱性 13 ルーターとNASのモデル

The EternalBlue exploit uses a weak spot in the implementation of the SMB protocol in versions of Windows OS (ウィンドウズ 7, Windowsサーバー 2008 and earlier) – 脆弱性 CVE-2017-0145, fixed by Microsoft two months before the WannaCry epidemic.



セキュリティエンジニア, リバースエンジニアリングとメモリフォレンジック