Since May 12, 2017, WannaCry has spread on a massive scale around the world, causing significant impacts. Therefore, security firms start to analyze and prevent the spread of this ransomware. Technical personnel of NSFOCUS also analyzed the sample immediately and released a detailed analysis report.
The sample exploits the ETERNALBLUE SMB vulnerability or DOUBLEPULSAR backdoor for propagation and infection of the ransomware. The sample first connects to the domain name http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, to test network connectivity. If the network is reachable, the sample exits; otherwise, the sample carries out subsequent behaviors. Therefore, a reachable domain name can be registered to stop further attacks.
Ukrenergo, a major energy provider in Ukraine, experienced a power failure on the night of December 17, 2016, which involved the automatic control system of the “North” substation in New Petrivtsi close to Kiev. The blackout affected the northern part of Kiev, the country’s capital, and surrounding areas.
On November 15, 2016 (local time), legalhackers.com released an advisory about a privilege escalation vulnerability, assigned CVE-2016-1247, found in the Nginx server. Nginx web server packaging on Debian-based distributions, such as Debian or Ubuntu, was found to allow creating log directories with insecure permissions.