WannaCry Ransomware Attack
[Updated: 7:15am 5/16/2017 – Phishing was reported as the initial vector, but that may not be true.]
[Updated: 3:45pm 5/15/2017 – Trolls selling fake services to unlock files. Unconfirmed variants.]
A worldwide outbreak of ransomware started in the UK on Friday. The initial target was targeting the healthcare industry, but it has since spread to other sectors. US-CERT released the following statement: “According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM ”
The Department of Homeland Security (DHS) has been coordinating the US response. Threat Sketch CEO, Rob Arnold, participated in briefings held roughly every 12 hours, starting 9pm Friday night. Arnold says: “The briefings bring captains of industry together to share real-time information and strategy.” The briefings also coordinate US efforts with international efforts.
“The US had some time to prepare,” said Arnold. The attacks began in the UK and spread to throughout Europe and Asia before making their way to the American Continents. This allowed cyber threat intelligence organizations to mobilize. These public and private organizations produce new firewall, anti-virus, and email filtering rules. But DHS officials say these measures are only stop-gaps. DHS warns that copy-cat attackers “tweak” the attack allowing it to bypass filters. Businesses must apply special updates to computers running Microsoft Windows to be safe.
DHS and the FBI released flash alerts Saturday morning. The big push now is getting that information out to the private sector. Dedicated security operation centers (SOC’s), and well staffed network operating centers (NOC’s), will get these alerts immediately. Less clear, in the briefings, was how small businesses would get notified. The chair of the IT Sector Coordinating Committee brought that issue to a head in Saturday morning’s briefing. Threat Sketch joined her in pressing DHS to get the word out to small companies.
Initial reports indicated that the attacks started with a phishing attack over email. A malicious Word document, when opened, started the attack. However, new information is coming to light that indicates it was not the result of a phishing attack. The ransomware exploits a flaw in Window’s Server Message Block (SMB) protocol. Once activated, the attack jumps from machine to machine without any further human intervention over port 445. A patch is available from Microsoft and should be applied ASAP.
The malicious software encrypted the contents of infected machines and displayed a demand for $300+. The ransom note demanded payment in Bitcoin, a well known digital currency. The FBI confirmed that many victims paid the ransom, but it was unclear that doing so released the files held hostage. If you are attacked, DHS urges any organization attacked by ransomware to not pay the ransom. The attack appears to be spreading through a flaw in Microsoft’s SMB protocol. Consider turning off non-essential computers, and equipment with embedded Windows operating systems, until they can be updated to protect against this threat.
DHS urges US victims of ransomware attacks to contact the National Cybersecurity and Communications Integration Center (NCCIC). The center is available at email@example.com or 703-235-5273. Threat Sketch offers the following advice:
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Consider turning off non-essential Windows based systems, until patched.
- Maintain up-to-date antivirus signatures and engines. Include updates for firewall and spam filters.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Use Office Viewer to open Microsoft Office files transmitted via e-mail.
- Educate employees on identifying scams, malicious links, and attempted social engineering (phishing) attacks.
- Ensure you have adequate backups in place. Backups should not be accessible from the local system.
Arnold says: “When the dust settles from this attack, I hope executives from around the globe will start treating cybersecurity as a business problem, and not just an IT problem.” Small businesses are at severe financial risk from cyber attacks. Perhaps more so than their larger cousins, because they lack basic risk management skills. Arnold adds: “The cybersecurity proposition is simple: Manage cyber risk to keep more profits and beat the odds that your organization will fold in the cash flow crisis caused by a cyber attack.”
There are reports of companies popping up to sell unlock services to unsuspecting victims. These services are scams. Without the victim having captured the private encryption key through very sophisticated means, it is impossible to unlock the files. Victims will need to rely on backups to recover the data.
There are also early, but unconfirmed, reports that a variant called Uiwix has surfaced. This variant allegedly has the much lauded URL “kill switch” removed. A kill switch was discovered accidentally by an anonymous security researcher, and it helped stem the initial attacks.