The IT systems of around 40 NHS organizations across the UK have been affected by a ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the attack.
Whoever is behind this ransomware has invested heavy resources into Wannacry's operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. According to Avast security researcher Jakub Kroustek, WannaCry made over 57,000 victims in just a few hours.
When a system is infected, a pop-up window appears with instructions on how to pay a ransom amount of $300. The pop-up also features two countdown clocks; one showing a three-day deadline before the ransom amount doubles to $600; another showing a deadline of when the target will lose its data forever. Payment is only accepted in bitcoin.
The ransomware's name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.
Let's have a look at WannaCry:
WannaCry is believed to use the EternalBlue exploit, which was allegedly developed by the U.S. National Security Agency to attack computers running Microsoft Windows operating systems. Although a patch to remove the underlying vulnerability had been issued on March 14, 2017, delays in applying security updates left some users and organisations vulnerable. A public exploit for this vulnerability had been released in April by a group subbed as ShadowBrokers while leaking files containing offensive tools belonging to the NSA including a remote SMB exploit called ETERNALBLUE which affects the above vulnerability.
On 12 May 2017, WannaCry began affecting computers worldwide. After gaining access to the computers, the ransomware encrypts the computer's hard disk drive, then attempts to exploit the SMB vulnerability to spread to random computers on the Internet, and "laterally" between computers on the same LAN.
The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017 – almost exactly two months before. The patch was to the Server Message Block (SMB) protocol used by Windows. Microsoft has also been urging people to stop using old SMB1 protocol and use new, secure SMB3 protocol instead.
Organizations that lacked this security patch were affected for this reason, also any organization still running the end-of-life Windows XP would be particularly at risk, as no security patches for that have been issued by Microsoft since April 2014.
How does it work?
WannaCry is a form of ransomware that locks up files on your computer and encrypts them in a way that you cannot access them anymore. It targets Microsoft's widely used Windows operating system.
When a system is infected, a pop-up window appears with instructions on how to pay a ransom amount of $300. The pop-up also features two countdown clocks; one showing a three-day deadline before the ransom amount doubles to $600; another showing a deadline of when the target will lose its data forever. Payment is only accepted in bitcoin.
The initial spread of WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates this infection.
Some security researchers say the infections in the case of WannaCry seem to be deployed via a worm, spreading by itself within a network rather than relying on humans to spread it by clicking on an infected attachment. The programme encrypts your files and demands payment in order to regain access, without any guarantee that access will be granted after payment.
Given the malware is scanning the entire internet for vulnerable machines, and as many as 150,000 were deemed open to the Windows vulnerability as of earlier this month, this ransomware explosion is only expected to get worse over the weekend.
Which files are affected?
- \msg— This folder contains the RTF describing the different instructions for the ransom-ware. Totalling 28 languages.
- b.wnry— BMP image used as a background image replacement by the malware.
- c.wnry— configuration file containing the target address, but also the tor communication endpoints information.
- s.wnry— Tor client to communication with the above endpoints.
- u.wnry— UI interface of the ransom-ware, containing the communications routines and password validation (currently being analysed)
- t.wnry— “WANACRY!” file
- r.wnry— Q&A file used by the application containing payment instructions
- taskdl.exe / taskse.exe —
Who is impacted?
A number of organizations globally have been affected, the majority of which are in Europe. This ransomware attack impacted many NHS hospitals in the UK. Whereas on 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. Over 1,000 computers at the Russian Interior Ministry, the Russian Emergency Ministry and the Russian telecommunications company MegaFon, have been infected.
What you can do to prevent this infection?
Since 12th Apr 2017, a Ransomware exploiting MS17-010 has been wreaking havoc worldwide. Here are the steps you should take to protect yourself against ransomware:
1 - Patch Management
Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010.
2 - Antivirus
Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution. Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.
3 - IPS
Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode. Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.
4 - eMail Gateway
Ensure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment.
5 - Proxy
Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy. Verify last one week logs for the IOCs on Proxy and take action on sources of infection.
6 - Firewall
Block the IP addresses on Perimeter Firewall. Verify logs for last one week.
7 - Anti - APT Solutions (FireEye, Trend Micro)
Ensure signatures are up to date. Check for possible internal sources of infection and take actions.
8 - SIEM
Check logs to verify if any of the IOCs have been detected in 1 week logs.
9 - Internet Explorer
Ensure you have smart screen (in Internet Explorer) turned on, which helps identify reported phishing and malware websites and helps you make informed decisions about downloads.
10 - Email Pop-up Blocker
Avoid clicking on links or opening attachments or emails from people you don't know or companies you don't do business with. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email. Have a pop-up blocker running on your web browser.
11 - Regular Backup
Regularly backup your important files is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
Note:
- If required, raise case with OEM for getting details
- All changes to follow proper approvals and change management process
