This is an update to our 15 May 2017 alert regarding WannaCry ransomware, also known as WannaCry, Wry, WanaCrypt0r, Wannacrypt, Wanna Decryptor, etc.
WannaCry ransomware, which holds systems hostage for payment in Bitcoin between $300 and $600, has now affected organizations in more than 100 countries around the world. While the malware spread was greatly slowed due to the activation of a “kill switch” by a security researcher, new WannaCry variants have appeared, some with “kill switches” and some without.
Because of its loading method, which makes it invulnerable to antivirus software scans, and its ability to spread laterally on a network, WannaCry is particularly dangerous. For more details on the technical indicators for WannaCry, read the FBI FLASH.
What Your IT Department Can Do
The defining feature of this campaign is its ability to swiftly traverse SMB connections. To mitigate this access vector:
- Patch all Windows systems as soon as possible. Microsoft released a set of patches for all operating systems (including end of life systems) on March 14, 2017 for the vulnerability (CVE-2017-0145/MS17-010).
- It might be particularly challenging to update and patch legacy systems and other components with embedded vulnerable operating systems due to various operational and technological factors, but these systems are also at a higher risk than others that may have more updated security features.
- If systems cannot be patched due to operational reasons, apply “virtual patching” procedures as a stop-gap measure. These can include updating IPS/IDS and WAF signatures, whitelisting execution of applications, and hardening firewall and ACL rules.
- Block SMB at perimeter firewalls. Doing so will prevent attackers from gaining access to your network from externally compromised devices.
To prevent other methods of initial infection and facilitate swift recovery in the event of an infection, we recommend the following:
Implement all indicators of compromise (IOC) reported. If you need an updated listing, please contact us.
- Filter emails with zipped or otherwise obfuscated attachments. A key indicator of compromise for WannaCry is malicious .zip files; blocking these files from incoming emails can help prevent initial infections.
- Regularly back up your systems and keep them separate from the primary network to provide a reliable backup option in case of an infection.
We also recommend that your IT staff review your standard security protocols to ensure the following steps are being taken:
Ensure networks are properly segregated with tightly managed network shares.
- Closely monitor logs and activate anomaly detection processes for user and network behavior. We recommend that you review and manage logs and alerts through a central system.
- Develop a software update procedure that calculates the risk and critical levels and prioritize critical system updates. We recommend using a centralized patch management system to oversee all systems from a central place.
- Raise employee awareness to the risks of phishing (see section below on what your employees need to know).
What You and Your Employees Need to Know
Hackers using this campaign are gaining access to their targets’ systems through remote desktop protocols (RDP) or through the exploitation of a critical Windows SMB vulnerability. To protect your organization, update any susceptible systems promptly and alert your employees about the danger of phishing emails. According to open source reporting, infection vectors have included emails containing malicious attachments and file-sharing protocols built into Windows systems. Once the malware is running on a system, it utilizes this file share protocol (SMB) to infect other computers on the network.
We suggest sending an email to your employees explaining WannaCry and recommending the following steps to keep their professional and personal systems safe:
- Don’t click on any links or download any programs from unknown senders. If you doubt the validity of any email, check with the sender and/or your IT staff to verify.
- Disable macro scripts from office files transmitted via email. Only use macros in trusted documents.
- If any computer or system you use is infected, isolate that computer from the network immediately and report the incident to IT.
If you have any questions regarding which systems might be vulnerable or how to protect them, please let us know immediately and we will help you understand the level of threat to your network and how to mitigate. To reach the team directly, email firstname.lastname@example.org.