On May 12, 2017 at 4:00am ET, multiple companies in Europe started reporting ransomware infections with the most damage impacting the National Health System (NHS) Trust in the UK and a large telecom company, Telefonica in Spain.
16 hospitals within the NHS have canceled surgeries, had their phone systems disabled or have had to turn away emergency patients. It is reported that many of the affected hospitals were using an older version of Microsoft Windows, known as XP that is no longer supported by Microsoft.
This new ransomware variant is called “WannaCry / WCry / WanaCrypt0r”.
The total amount of money paid for the ransom campaign is being reported at approximately 207 payments across 3 bitcoin wallets totaling 31 BTC or $55k. The actual revenue generated versus the impact the ransomware had seem to be at odds.
Initial research shows that the ransomware is spreading using SMB vulnerability MS17-010 that was patched by Microsoft in March 2017. Microsoft has since taken the extraordinary step to send out a patch to Windows XP, Windows 8, and Windows Server 2003 versions of software.
No one has been able to pinpoint how this ransomware variant was initially distributed to victims, although several theories persist (malvertising, exploit kits, email spam, etc.). Remote Desktop Protocol (RDP), email, and phishing do not appear to be propagation vectors of the current variants.
Many of the large entities impacted had SMB exposed to the Internet, specifically port TCP-445. Some of that exposure has been remediated as part of the response to the WannaCry ransomware.
There have been reports in the media and amongst the vendor community as information flowed in initially. The story and information was fast moving and this event was being confused with indicators from another ransomware strain (JAFF). Researchers have had time to digest and validate information and are now able to provide additional clarity. For example, seeing Wannacry infections coming from email or phishing or Remote Desktop Protocol (RDP). Currently there is no evidence to support the theory that Wannacry is being distributed via a spam campaign or RDP. Be sure to check for factual reports from trusted sources like the NH-ISAC. Other phishing attacks are taking advantage of the situation.
Please also be aware the secondary scams (phishing and vishing) leveraging the WannaCry event for their own unrelated purposes are likely. Organization Staff should be made aware and referred to proper communication channels for information.
POSSIBLE MITIGATION ACTIONS:
– Ensure all patches are up to date. Microsoft has patches available for all software versions Microsoft XP and higher specifically for MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
– Issue a companywide communication alerting staff and proper remediation activities relative to this event.
– Prevent delivery and download of .exe attachments both direct and contained inside zip files.
– Ensure SMB (disable ports TCP-139 and especially TCP-445) is not permitted into your environment from external sources. Note especially 3rd party connections including VPNs.
– Apply anti-virus patches, many new updates provided since May 12th.
– Detect/block known hashes. There are multiple lists, including those shared with NH-ISAC membership.
– Block attempts to communicate to unauthorized and new domains.
– Review the list of IP hits against the sink holed domain keeping in mind some positive hits might be from your own security team.
– Continue to share and participate on NH-ISAC forums.
There is a wealth of information sharing with actionable IOCs and mitigation strategies including scripts and patching results being discussed over the NH-ISAC sharing mechanisms. NOW MORE THAN EVER you need to join the NH-ISAC and participate in the community. Your member dues (in many cases less than a cup of coffee per day) will pay you back ten-fold with the factual information and strategies. NH-ISAC serves as an extension to your security operation!