H-ISAC WannaCry Ransomware Updates
The following information is labeled TLP White:
HHS ASPR/CIP HPH Cyber Notice: On-Going Impacts to HPH Sector from WannaCry
June 2, 2017
DISCLAIMER: This product is provided “as is” for informational purposes only. The Department of Health and Human Services (HHS) does not provide warranties of any kind regarding any information contained within. HHS does not endorse any commercial product or service referenced in this product or otherwise.
Dear HPH Sector Colleagues,
HHS is aware of two, large, multi-state hospitals systems that are continuing to face significant challenges to operations because of the WannaCry malware. Note: this is not a new WannaCry attack.
The behaviors that have been reported are typical for environments where the WannaCry scanning virus persists, even though the encryption stage has been blocked by anti-virus, or is not executing. The virus can persist even on a machine that has been patched. The virus will not spread to a patched machine, but the attempt to scan can disrupt Windows operating systems when it executes. The particular effect varies according the version of Windows on the device. For those devices or systems, we are providing additional guidance below.
We are also sharing FDA’s emergency phone line for those with questions or reports of malware affecting devices as part of the recommended reporting process below.
You may send additional questions to firstname.lastname@example.org
Mitigating risks of WannaCry
WannaCry ransomware is a fast-propagating worm which exploits Windows’ Server Message Block version 1 (SMBv1) protocol to move through a network or infect other systems on the Internet. However, SMBv1 might not be the only vector of infection for WannaCry, so even patched systems could still be infected if the malware is introduced to the system in a different manner.
Furthermore, a newly patched system could have been previously infected, and if so, would still scan for other vulnerable systems and/or encrypt files. Patching a system is similar to how in physical medicine, a quarantine will prevent an infection from spreading however will not cure the patient who has been quarantined. Reimaging removes the infection in the operating system no matter where the virus is residing.
Mitigate the risk of WannaCry infection by:
- Patch vulnerable systems with the update from Microsoft which fixes the SMBv1 vulnerability: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Disable SMBv1 on all devices, across the network and disable it at the firewall if possible. If it is not possible to disable SMBv1, consider the business-impact for quarantining those devices off the network until another solution can be found.
- See the Tech Support page from Microsoft below for instructions on disabling SMBv1: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server
- Block port 445 on all firewalls
- If possible, reimage potentially affected devices to mitigate risk that malware is on the system in the background.
- Use a reputable anti-virus (AV) product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many AV products will automatically clean up infections or potential infections when they are identified.
- Work with vendors to make sure both the distribution stage and the encryption stage of WannaCry are detected and blocked.
- Work with vendors or IT support staff to investigate and remediate systems exhibiting network-scanning activity consistent with WannaCry, which could reimaging per the previous bullet point.
If you are the victim of a ransomware attack
If your organization is the victim of a ransomware attack, HHS recommends the following steps:
- Please contact your FBI Field Office Cyber Task Force (www.fbi.gov/contact-us/field/field-offices) or US Secret Service Electronic Crimes Task Force (www.secretservice.gov/investigation/#field) immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
- Please report cyber incidents to the US-CERT (www.us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (www.ic3.gov).
- **NEW** If your facility experiences a suspected cyberattack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1-866-300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.
- For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov
- ICS-CERT: vendor-specific security bulletins and FDA, Center for Devices and Radiological documents: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01H
- Microsoft Security Bulletin MS17-010 – Critical: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Microsoft Windows Advisory: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- Additional Microsoft Information: https://support.microsoft.com/en-us/help/204279/direct-hosting-of-smb-over-tcp-ip
- US-CERT SMB Advisory and Best Practices: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
MAY 16, 2017
The following information is labeled TLP White:
On May 12, 2017 at 4:00am ET, multiple companies in Europe started reporting ransomware infections with the most damage impacting the National Health System (NHS) Trust in the UK and a large telecom company, Telefonica in Spain.
16 hospitals within the NHS have canceled surgeries, had their phone systems disabled or have had to turn away emergency patients. It is reported that many of the affected hospitals were using an older version of Microsoft Windows, known as XP that is no longer supported by Microsoft.
This new ransomware variant is called “WannaCry / WCry / WanaCrypt0r”.
The total amount of money paid for the ransom campaign is being reported at approximately 207 payments across 3 bitcoin wallets totaling 31 BTC or $55k. The actual revenue generated versus the impact the ransomware had seem to be at odds.
Initial research shows that the ransomware is spreading using SMB vulnerability MS17-010 that was patched by Microsoft in March 2017. Microsoft has since taken the extraordinary step to send out a patch to Windows XP, Windows 8, and Windows Server 2003 versions of software.
No one has been able to pinpoint how this ransomware variant was initially distributed to victims, although several theories persist (malvertising, exploit kits, email spam, etc.). Remote Desktop Protocol (RDP), email, and phishing do not appear to be propagation vectors of the current variants.
Many of the large entities impacted had SMB exposed to the Internet, specifically port TCP-445. Some of that exposure has been remediated as part of the response to the WannaCry ransomware.
There have been reports in the media and amongst the vendor community as information flowed in initially. The story and information was fast moving and this event was being confused with indicators from another ransomware strain (JAFF). Researchers have had time to digest and validate information and are now able to provide additional clarity. For example, seeing Wannacry infections coming from email or phishing or Remote Desktop Protocol (RDP). Currently there is no evidence to support the theory that Wannacry is being distributed via a spam campaign or RDP. Be sure to check for factual reports from trusted sources like the H-ISAC. Other phishing attacks are taking advantage of the situation.
Please also be aware the secondary scams (phishing and vishing) leveraging the WannaCry event for their own unrelated purposes are likely. Organization Staff should be made aware and referred to proper communication channels for information.
POSSIBLE MITIGATION ACTIONS:
– Ensure all patches are up to date. Microsoft has patches available for all software versions Microsoft XP and higher specifically for MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
– Issue a companywide communication alerting staff and proper remediation activities relative to this event.
– Prevent delivery and download of .exe attachments both direct and contained inside zip files.
– Ensure SMB (disable ports TCP-139 and especially TCP-445) is not permitted into your environment from external sources. Note especially 3rd party connections including VPNs.
– Apply anti-virus patches, many new updates provided since May 12th.
– Detect/block known hashes. There are multiple lists, including those shared with H-ISAC membership.
– Block attempts to communicate to unauthorized and new domains.
– Review the list of IP hits against the sink holed domain keeping in mind some positive hits might be from your own security team.
– Continue to share and participate on H-ISAC forums.
There is a wealth of information sharing with actionable IOCs and mitigation strategies including scripts and patching results being discussed over the H-ISAC sharing mechanisms. NOW MORE THAN EVER you need to join the H-ISAC and participate in the community. Your member dues (in many cases less than a cup of coffee per day) will pay you back ten-fold with the factual information and strategies. H-ISAC serves as an extension to your security operation!
May 15, 2017 – US-Cert – Indicators Associated with WannaCry Ransomware
Full (TLP White) report can be read here, or viewed below.US-CERT - TA17-132A Indicators Associated With WannaCry Ransomware - 15 ...
May 13, 2017 – HHS Update #2: International Cyber Threat to Healthcare Organizations
The following information is labeled TLP White:
Where can I find the most up-to-date information from the U.S. government?
– For overall Cyber Situational Awareness visit the US-CERT National Cyber Awareness System webpage at: https://www.us-cert.gov/ncas
– NCCIC portal for those who have access: hsin.dhs.gov
– FBI FLASH: Indicators Associated With WannaCry Ransomware
Where can I find the latest Microsoft Security Information?
Visit the Microsoft Update Catalog for the latest security updates – http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
ASPR TRACIE: Healthcare Cybersecurity Best Practices
Our message from May 12, 2017 including information on how to protect from email-based and open RDP ransomware attacks can be found on the TRACIE portal here – https://asprtracie.hhs.gov/documents/newsfiles/NEWS_05_13_2017_08_17_11.pdf
ASPR TRACIE (https://asprtracie.hhs.gov/) also has the best and promising healthcare cybersecurity practices available in our Technical Resources domain. Issue 2 of The Exchange (released in 2016 – https://asprtracie.hhs.gov/documents/newsletter/ASPR-TRACIE-Newsletter-The-Exchange-Issue-2.pdf) highlights lessons learned from a recent attack on a U.S. healthcare system and features articles that demonstrate how collaboration at all levels is helping healthcare facilities implement practical, tangible steps to prevent, respond to, and recover from cyberattacks. The video Cybersecurity and Healthcare Facilities (https://www.youtube.com/watch?v=sWTIIQZxAG4&feature=youtu.be&ab_channel=PHEgov) features subject matter experts describing last year’s attack on MedStar, steps we can take to prevent and mitigate attacks, and what the federal government is doing to address cybersecurity. The Cybersecurity and Information Sharing Topic Collections (https://asprtracie.hhs.gov/technical-resources/80/information-sharing-partners-and-employees/77) include annotated resources reviewed and approved by a variety of subject matter experts.
How to request an unauthenticated scan of your public IP addresses from DHS
The US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides integrated threat intelligence and provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks.
– NCATS focuses on increasing the general health and wellness of the cyber perimeter by broadly assessing for all known external vulnerabilities and configuration errors on a persistent basis, enabling proactive mitigation prior to exploitation by malicious third parties to reduce risk.
– Attributable data is not shared or disseminated outside of DHS or beyond the stakeholder; non-attributable data is used to enhance situational awareness.
– NCATS security services are available at no-cost to stakeholders. For more information please contact NCATS_INFO@hq.dhs.gov
If you are the victim of ransomware or have cyber threat indicators to share
If your organization is the victim of a ransomware attack, please contact law enforcement immediately.
Contact your FBI Field Office Cyber Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
Report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center.
For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov
FBI WANNACRY FLASH BULLETIN
FBI WannaCry Flash Bulletin – Indicators Associated With WannaCry Ransomware
Please see the attached TLP White report from the FBI concerning the WannaCry Ransomware incident.