If you signed out from your office a bit early Friday afternoon and did not tune in to the news over the weekend, you missed the onset of a major, ongoing cybersecurity scare. Following are some important reports about the WannaCrypt / WannaCry ransomware to get you up to speed:
Homeland Security overview of WannaCrypt ransomware
Microsoft Windows operating systems
According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.
This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.
Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails.
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.
The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.
This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.
Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.
Recommended Steps for Prevention
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
- Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
- Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
- Test your backups to ensure they work correctly upon use.
Recommended Steps for Remediation
- Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
- Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
Defending Against Ransomware Generally
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust.
- Enable automated patches for your operating system and Web browser.
Ransomware attack: The second wave is coming, so get ready now
A new stage of the WannaCrypt ransomware attack could arrive with the start of the working week. Are you prepared?
The global ransomware attack that caused chaos could spring back to life again as workers return to the office, experts have warned.
While ransomware has been a growing menace for some time, this particular attack is without parallel, largely because the ransomware was combined with a worm-like functionality that allowed the infection to spread rapidly from PC to PC.
The lightning spread of the WannaCrypt ransomware attack was felt worldwide last week, causing problems for thousands of private and public sector organisations across dozens of countries on Friday, and forced hospitals in the UK to cancel treatment and resort to pen and paper. The ransomware has also caused problems in Germany, Russia, the US, and Spain.
After the impact of the first ransomware attack waned, a second variation was launched that increased the impact further.
And now, because the attack started on a Friday afternoon, there is concern that more PCs worldwide may have become infected over the weekend -- which means companies could have problems to face when they return to work.
'Accidental hero' halts ransomware attack and warns: this is not over
Expert who stopped spread of attack by activating software’s ‘kill switch’ says criminals will ‘change the code and start again’
The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.
The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service(NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.
Microsoft warns ransomware cyber-attack is a wake-up call
A cyber-attack that has hit 150 countries since Friday should be treated by governments around the world as a "wake-up call", Microsoft says.
It blamed governments for storing data on software vulnerabilities which could then be accessed by hackers.
It says the latest virus exploits a flaw in Microsoft Windows identified by, and stolen from, US intelligence.
There are fears of more "ransomware" attacks as people begin work on Monday, although few have been reported so far.
Repercussions Continue From Global Ransomware Attack
The ransomware attack unleashed on Friday has affected more than 100,000 organizations in 150 countries, according to Europe's law enforcement agency Europol on Sunday.
The malware, which locks files and asks for payment to unlock them, hit businesses and institutions across the world, including shipper FedEx, train systems in Germany, a Spanish telecommunications company, universities in Asia, Russia's interior ministry and forced hospitals in Britain to turn away patients.
More than 200,000 people around the world have been affected by the WannaCrypt malware, Jake Cigainero reports for NPR's Newscast.
Cyber-attacks from WannaCry ransomware slow but fears remain
A computer malware that has spread across 150 countries appears to be slowing down, with few reports of fresh attacks in Asia and Europe on Monday.
However staff beginning the working week have been told to be careful.
The WannaCry ransomware started taking over users' files on Friday, demanding $300 (£230) to restore access.
Hundreds of thousands of computers have been affected so far. Computer giant Microsoft said the attack should serve as a wake-up call.