WannaCry Ransomware

Description:

Ransomware is a type of malware that blocks access to computer system either by locking the systems screen or by encrypting files and folders. Usually certain amount(ransom) of money (in bitcoin) is demanded for unlocking the files. For most of the new variants of ransomware, prevention has become the only guard since data recovery after attack is almost impossible.

WannaCry is a kind of ransomware, also referred online under various names – WCry, WanaCryptor, WannaCrypt or Wana Decryptor. The attack was based upon a security flaw in Microsoft Windows operating systems(Windows XP through 8.1). Although the patch was released by Microsoft in the month of March, most of the systems are still reported to have not been updated, which has exposed the systems to the attack.

Discovered: May 12, 2017
Updated: May 13, 2017 9:51:24 PM
Type: Trojan
Infection Length: Varies
Systems Affected: Windows

Distribution:

  1. Victims gets infected through emails containing malicious program disguised as legit attachment.
  2. Once the ransomware infects a system, it has the capabilities to propagate in a network using the vulnerabilities existing in SMB through port 445 of unpatched windows systems.
  3. enterprise servers either through Remote Desktop Protocol (RDP) compromise.

Target:

Microsoft Windows systems – Unpatched Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016

Discovered:

  1. The attack was reported by the CCN-CERT, the Spanish Government’s Computer Security Incident Response Team at 12:26 p.m. EDT, Friday.
  2. England’s National Health Service hospitals and facilities around England and telecom organisations in Spain. The large outbreak occurred on Friday 12 May.
  3. To date, more than 200,000 systems have been infected in over 150 countries.
  4. There is no specific target set by the ransomware.

Impact:

Ransomware not only targets home users; businesses can also be infected with ransomware, leading to negative consequences, including

  1. temporary or permanent loss of sensitive or proprietary information,
  2. disruption to regular operations,
  3. financial losses incurred to restore systems and files, and
  4. potential harm to an organization’s reputation.
  5. WannaCry encrypts files

Since paying the ransom does not guarantee the release of  encrypted files, it is  discouraged to pay the ransom.  Even if the files are decrypted, doesn’t mean the malware infection itself has been removed.

Mitigation:

BtCIRT encourages all users and administrators to apply the necessary patches and take following preventive measure:

         End user:

    • For Newer Windows Versions (Windows Vista, 7-10,  Windows Server 2008-2016)  apply MS17-010 SMB  vulnerability dated March 14, 2017
    • For older systems going back to Windows XP and Windows 2003,  follow (WannaCry patch  )
    • Most of the antivirus have released update to detect the malware, keep your AV up-to-date
    • Always keep a backup of data you cannot afford to lose.
    • Configure  Applications, OS and antivirus   to automatically update and perform regular scans.
    • For general mitigation please check  Malware  and Online Safety
    • Always Download software from reputable sources and never use cracked softwares

       Admin

    • Do not expose SMB to outside world and  Completely disable support for legacy SMB protocol( Guide on disabling SMBv1 )
    • Disable or restrict Remote Desktop Protocol (RDP) access – Visit https://support.eset.com/kb3433/#RDP
    • Cisco has released snort rule for ETERNALBLUE as part of the “registered” rules set. Check for SID 41978
    • Practice the principle of least privilege.

        Recovery:

      • Restore  from clean backup
      • Patch your system.

Please report any ransomware incidents to the cirt@bicirt.bt.

For latest Security News ,Alerts  and Best practice please follow “Bhutan Computer Incidence Response team” page on facebook or visit our page :  https://www.btcirt.bt/category/publications/  or subscribe for email notification.

WannaCry threat to systems in Bhutan:

Application and Systems deployed on Microsoft Windows’s or individual using Microsoft Windows operating system could be in potential risk if:

    1. left unpatched or not updated;
    2. Using pirated operating system;
    3. Antivirus software is not updated;
    4. Remote desktop and File sharing is enable

Further Resources:

  1. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  2. https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99&tabid=3
  3. https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4488-informe-del-ransomware-de-la-familia-wannacry-que-incluye-medidas-para-su-deteccion-y-desinfeccion.html
  4. https://www.ibtimes.com/nsa-hacking-tools-used-wanacry-global-ransomware-attack-targeting-hospitals-banks-2538610
  5. https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
  6. https://www.forbes.com/sites/tomcoughlin/2017/05/14/wannacry-ransomware-demonstrations-the-value-of-better-security-and-backups/#7a828a1770b8
  7. https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99&tabid=2
  8. https://www.us-cert.gov/ncas/alerts/TA17-132A
  9. https://www.us-cert.gov/ncas/alerts/TA17-132A
  10. https://www.mycert.org.my/en/services/advisories/mycert/2017/main/detail/1263/index.html
  11. https://www.us-cert.gov/ncas/alerts/TA17-132A