FIRST THINGS FIRST:
Are you afraid of infection? These steps first:
- Patch. In principle, if you’re patched, you won’t get infected. Go here for more information: MS17-010: Security update for Windows SMB Server: March 14, 20. Microsoft has release a patch even for out-of support Windows XP here: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe
- If you can’t or won’t patch, disable SMB v1: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012?utm_content=bufferf993c&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
- There seem to be some Snort rules available if you run an IDS here: https://pastebin.com/vp7st112
Are you already infected? These steps next:
- Isolate your infected machines
- Reinstall your infected machines
- Patch before connecting to the network
- Restore files to machines
- If you have no restore procedure, do not throw away your encrypted files. A fix may come within days or weeks, as it had in some cases in the past.
What’s this I hear about “kill switches”?
In the malware, there’s a condition a certain domain name must not resolve and answer for the malware to be detonated. The initial domain name was dp9ifjaposdfjhgosurijfaewrwergwea.com. The good people from Malwaretechblog discovered this, registered the domain, and to their surprise, the malware wouldn’t work anymore, nowhere. The effect is however thought to be temporary.
We are following reports the malware is evolving with new kill switch domains, and likely there might be a version without a kill switch whatsoever. Approach the threat as if the kill switch doesn’t exist.
ABOUT THE RANSOMWARE
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware worm. It encrypts your files and holds them to ransom. For several days the ransom is around BTC 0.17 (300$), then ransom is increased. After a week files will be deleted. Encrypted files will have the WCRY extension. It was found the malware has described “kill switch functionality”. Also there’s newer versions of Wannacry seen in the wild on Sunday, with new kill switch domains.
How it’s spreading
It’s spreading through the SMB protocol, typically used by windows machines to communicate. Version 1 of the protocol is vulnerable as described in MS17-010. Once there’s an infection in a network, the worm will search for other vulnerable machines and infect them too.
An initial infection vector is being discussed in the communities. SMB is usually not internet facing so many think the campaign starts with a phishing e-mail, or a similar method. There’s been one report phishing mails are observed, many other researchers haven’t yet seen this.
Europol mentions on Sunday, there’s over 200,000 infected machines in 150 countries. A day earlier, around 75,000 were reported, and infections were concentrating on Russia. Hospitals have reported increased risk for patients, through events such as canceled operations. With the newer versions seen on Sunday, infosec & IT professionals brace for a new wave on monday morning.
Investigators have found three bitcoin adresses belonging to the criminals, and have counted the criminal earnings. These amounted to a little over 35,000 $ on Sunday. Find out here how much the criminals made so far: https://twitter.com/actual_ransom.
Wannacry is by no means the biggest threat ever, but my nature (using recent windows vulnerabilities) it targets organizations who set low priorities for IT security, such as hospitals. Historically, only a small percentage of victims pay up. The majority of the damages are in lost productivity or even lost revenue due to customers facing processes breaking.
Obviously, if you’re infected and don’t have up-to-date patch levels, your risk is high.
Is this NSA malware?
The vulnerability MS17-010 was disclosed by a group called Shadowbrokers last month. https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/.This dump included zero days (vulnerability which have no patch available) which was criticized by some; they warned the dump could be used by criminals. The malware itself does not have any bearing on professional organisations like NSA, in fact some researchers called it amateurish.
All indications are the malware just uses a vulnerability previously used by the NSA, and disclosed by Shadowbrokers.
Who then is behind this?
We are working hard to protect customers and to “stop the bleeding” for others. In our experience, if the impact is high enough, more information behind the criminals will pop up sooner rather than later. We’ll share more news once we have it.
These types of attack change fast. Follow the news in your infosec community, or on twitter. Many Securelink customers are protected by default. If you are a customer and want to know more, call your SecureLink contact.