NH-ISAC WannaCry Ransomware Updates
MAY 16, 2017
On May 12, 2017 at 4:00am ET, multiple companies in Europe started reporting ransomware infections with the most damage impacting the National Health System (NHS) Trust in the UK and a large telecom company, Telefonica in Spain.
16 hospitals within the NHS have canceled surgeries, had their phone systems disabled or have had to turn away emergency patients. It is reported that many of the affected hospitals were using an older version of Microsoft Windows, known as XP that is no longer supported by Microsoft.
This new ransomware variant is called “WannaCry / WCry / WanaCrypt0r”.
The total amount of money paid for the ransom campaign is being reported at approximately 207 payments across 3 bitcoin wallets totaling 31 BTC or $55k. The actual revenue generated versus the impact the ransomware had seem to be at odds.
Initial research shows that the ransomware is spreading using SMB vulnerability MS17-010 that was patched by Microsoft in March 2017. Microsoft has since taken the extraordinary step to send out a patch to Windows XP, Windows 8, and Windows Server 2003 versions of software.
No one has been able to pinpoint how this ransomware variant was initially distributed to victims, although several theories persist (malvertising, exploit kits, email spam, etc.). Remote Desktop Protocol (RDP), email, and phishing do not appear to be propagation vectors of the current variants.
Many of the large entities impacted had SMB exposed to the Internet, specifically port TCP-445. Some of that exposure has been remediated as part of the response to the WannaCry ransomware.
There have been reports in the media and amongst the vendor community as information flowed in initially. The story and information was fast moving and this event was being confused with indicators from another ransomware strain (JAFF). Researchers have had time to digest and validate information and are now able to provide additional clarity. For example, seeing Wannacry infections coming from email or phishing or Remote Desktop Protocol (RDP). Currently there is no evidence to support the theory that Wannacry is being distributed via a spam campaign or RDP. Be sure to check for factual reports from trusted sources like the NH-ISAC. Other phishing attacks are taking advantage of the situation.
Please also be aware the secondary scams (phishing and vishing) leveraging the WannaCry event for their own unrelated purposes are likely. Organization Staff should be made aware and referred to proper communication channels for information.
POSSIBLE MITIGATION ACTIONS:
– Ensure all patches are up to date. Microsoft has patches available for all software versions Microsoft XP and higher specifically for MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
– Issue a companywide communication alerting staff and proper remediation activities relative to this event.
– Prevent delivery and download of .exe attachments both direct and contained inside zip files.
– Ensure SMB (disable ports TCP-139 and especially TCP-445) is not permitted into your environment from external sources. Note especially 3rd party connections including VPNs.
– Apply anti-virus patches, many new updates provided since May 12th.
– Detect/block known hashes. There are multiple lists, including those shared with NH-ISAC membership.
– Block attempts to communicate to unauthorized and new domains.
– Review the list of IP hits against the sink holed domain keeping in mind some positive hits might be from your own security team.
– Continue to share and participate on NH-ISAC forums.
There is a wealth of information sharing with actionable IOCs and mitigation strategies including scripts and patching results being discussed over the NH-ISAC sharing mechanisms. NOW MORE THAN EVER you need to join the NH-ISAC and participate in the community. Your member dues (in many cases less than a cup of coffee per day) will pay you back ten-fold with the factual information and strategies. NH-ISAC serves as an extension to your security operation!
May 15, 2017 – US-Cert – Indicators Associated with WannaCry Ransomware
Full report can be read here, or viewed below.US-CERT - TA17-132A Indicators Associated With WannaCry Ransomware - 15 ...
May 13, 2017 – HHS Update #2: International Cyber Threat to Healthcare Organizations
Where can I find the most up-to-date information from the U.S. government?
– For overall Cyber Situational Awareness visit the US-CERT National Cyber Awareness System webpage at: https://www.us-cert.gov/ncas
– NCCIC portal for those who have access: hsin.dhs.gov
– FBI FLASH: Indicators Associated With WannaCry Ransomware
Where can I find the latest Microsoft Security Information?
Visit the Microsoft Update Catalog for the latest security updates – http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
ASPR TRACIE: Healthcare Cybersecurity Best Practices
Our message from May 12, 2017 including information on how to protect from email-based and open RDP ransomware attacks can be found on the TRACIE portal here – https://asprtracie.hhs.gov/documents/newsfiles/NEWS_05_13_2017_08_17_11.pdf
ASPR TRACIE (https://asprtracie.hhs.gov/) also has the best and promising healthcare cybersecurity practices available in our Technical Resources domain. Issue 2 of The Exchange (released in 2016 – https://asprtracie.hhs.gov/documents/newsletter/ASPR-TRACIE-Newsletter-The-Exchange-Issue-2.pdf) highlights lessons learned from a recent attack on a U.S. healthcare system and features articles that demonstrate how collaboration at all levels is helping healthcare facilities implement practical, tangible steps to prevent, respond to, and recover from cyberattacks. The video Cybersecurity and Healthcare Facilities (https://www.youtube.com/watch?v=sWTIIQZxAG4&feature=youtu.be&ab_channel=PHEgov) features subject matter experts describing last year’s attack on MedStar, steps we can take to prevent and mitigate attacks, and what the federal government is doing to address cybersecurity. The Cybersecurity and Information Sharing Topic Collections (https://asprtracie.hhs.gov/technical-resources/80/information-sharing-partners-and-employees/77) include annotated resources reviewed and approved by a variety of subject matter experts.
How to request an unauthenticated scan of your public IP addresses from DHS
The US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides integrated threat intelligence and provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks.
– NCATS focuses on increasing the general health and wellness of the cyber perimeter by broadly assessing for all known external vulnerabilities and configuration errors on a persistent basis, enabling proactive mitigation prior to exploitation by malicious third parties to reduce risk.
– Attributable data is not shared or disseminated outside of DHS or beyond the stakeholder; non-attributable data is used to enhance situational awareness.
– NCATS security services are available at no-cost to stakeholders. For more information please contact NCATS_INFO@hq.dhs.gov
If you are the victim of ransomware or have cyber threat indicators to share
If your organization is the victim of a ransomware attack, please contact law enforcement immediately.
Contact your FBI Field Office Cyber Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
Report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center.
For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov
FBI WANNACRY FLASH BULLETIN
FBI WannaCry Flash Bulletin – Indicators Associated With WannaCry Ransomware
Please see the attached TLP White report from the FBI concerning the WannaCry Ransomware incident.