IPSec advice on WannaCry ransomware outbreak

By now you are likely aware of the recent ransomware outbreak, known as WannaCry or WannaCrypt. IPSec would like to provide the following information and advice:

Headline Comments:

 

  • Primarily impacts unsupported versions of Microsoft Windows (Windows XP, 2003, Vista, 2008).

Microsoft has released an emergency patch (KB4012598) for all impacted versions of Windows.

Microsoft Customer Guidance for WannaCrypt attacks

  • Unpatched versions of supported Microsoft Windows are also susceptible to this attack.
  • Patched versions of Windows are still susceptible to attack if a user executes the ransomware, as  with other ransomware attacks.
  • Do not pay to unencrypt – There has been no evidence of successful decryption.
  • Verify that your firewalls do not permit TCP/445 communication from the Internet to your internal networks.
  • Verify that all endpoint (anti-virus) solutions have their most recent signatures applied.
  • Verify that all email security solutions have their most recent signatures applied and their      associated anti-virus components.
  • Verify that all web security solutions have their most recent signatures, applied.
  • Ensure that all critical systems and data repositories (databases & file systems) are backed up  and are of high integrity.
  • Remind all staff to not open unsolicited attachments and to not click on unsolicited links. If they are unsure they should request confirmation from the IT support team and contact the sender of the attachment/link to confirm its validity.

Impacted Systems:

The WannaCry ransomware has the potential to impact all Microsoft Windows operating systems. Whilst the primary victims are non-supported versions of Microsoft Windows (Windows XP, 2003, Vista, and 2008) it is still possible for other Windows systems to be impacted if a user executes the malware on that system or if the supported version has not been patched.

Non-Supported Microsoft Windows platforms are particularly susceptible to the WannaCry ransomware as the malware exploits a known vulnerability to self (automatically) propagate via the SMB (TCP/445) file system protocol. This means that if the non-supported Windows system is exposed to the Internet or if the malware has already entered an environment with non-supported Windows systems, that those systems may (likely) be exploited by the malware.

Method of Attack:

The WannaCry ransomware utilizes a number of exploitation techniques that may result in victim systems being encrypted:

Email

The WannaCry ransomware propagates via email. Users will receive an email with an attachment and/or a URL which when clicked (executed) results in the ransomware encrypting the local device.

Whilst early reports suggested attachments with .exe, .bat., and .txt files information is rapidly evolving and other attachment types may reveal themselves in the future.

Additionally, there have been reports of recipients receiving emails with malicious URL’s, either in the body of the email or within attachments (e.g. a URL within an attached PDF).

Network Communication

The WannaCry ransomware, unlike previous ransomware, utilizes the SMB (TCP/445) protocol to attempt self-propagation via the network. This means that if you have vulnerable systems that are accessible from the Internet utilizing SMB (TCP/445) communication it is highly likely that they will fall victim to this attack. Additionally, if a single system within your IT environment is infected by the ransomware, via the above described email vector, that infected system will attempt to infect other vulnerable systems within your IT environment utilizing the SMB protocol.

There are also a number of growing reports of brute-force attacks against the RDP protocol, whereby a successfully brute-forced RDP session permits the attacker to install the ransomware into the environment which then subsequently self-propagates to vulnerable systems.

Recommendations:

IPSec recommends the following actions, in order of priority. IPSec recommends that organisations conduct as many of these as possible, as quickly as possible. We have put these in order of impact and protective consequence for the organisation:

1.Remind all users to not open attachments and to not open URL’s that were received unsolicited.

If the user is unsure as to the safety of the attachment or URL they should directly contact the sender to verify they intended to send the email, and they should verify the safety of the attachment or URL with the organisation’s IT support team.

2.Implement the Microsoft patch as advised in https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

3.Verify that all critical information systems and information stores are backed up and their back-ups verified.

4.Verify that all end-point (anti-virus) solutions are up to date and have their most recent signature sets applied.

5.Verify that all email and web security solutions (filters) are up to date and have their most recent signature sets applied (this includes any associated anti-virus components & reputation filter lists).

6.Keep monitoring news agencies and reliable sources of cyber-security updates as this is an evolving threat that has already seen a number of variants identified.

Useful Links:

•    https://securingtomorrow.mcafee.com/business/analysis-wannacry-ransomware-outbreak/

•    https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58

•    http://blog.checkpoint.com/2017/05/12/global-outbreak-wanacryptor/

•    http://blog.checkpoint.com/2017/05/14/wannacry-paid-time-off/

•    https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/

•    http://blog.talosintelligence.com/2017/05/wannacry.html