Friday May 12, 2017

Big Ransomware Outbreak Today - Be Vigilant

Update 8: Microsoft has pushed out hotfixes for WannaCry and older Windows OS.

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

Update 7: Microsoft Statement - "Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance."

Update 6: FedEx has instructed approximately 80,000 employees, via email, to turn off their computers till Monday while it tries to deal with the WannCry ransomware.

Update 5: FedEx (FDX ) here in the United States has now been impacted by the WannaCry ransomware. FedEx has not determined exactly how it is spreading, but it is. Virtual Machines currently seem to be the most vulnerable on its network. FedEx is currently shutting down its PCs and taking its ESX servers offline as well.

Update 4: In-house HardOCP security experts have reported that the Russian Ministry of the Interior (Police) network has now been taken down by WannyCry ransomware.

Update 3: Microsoft pushed out a Security Bulletin MS12-010-Critical server patch in March as reported by the BBC, but many have not yet updated the vulnerable systems.

Update 2: HardOCP in-house security experts have verified that the WannaCry ransomware attack is being conducted using Eternal Blue. Eternal Blue was an exploitation tool released in Vault 7, the NSA tool dump from WikiLeaks. You can use this page to watch the current infection rate worldwide after you click connect.

Update: HardOCP in-house security experts have verified that the WannaCry ransomware is using a remote command execution vulnerability through Server Message Block (SMB).

While the outbreak was at first mainly located in Spain, it has quickly spread worldwide. It would be good for our System Admin readers to be very aware of this as it seems to be a very nasty strain of ransomware. Microsoft issued a patch for this on March 14th.

In Twitter conversations, Telefonica employees and collaborators told Bleeping Computer that the company had sent several internal memos, telling employees to also disconnect from the company's internal WiFi network. Additionally, the company blasted warnings throgh[sic] audio speakers inside their Madrid headquarters, warning employees to shut down their computers.

News Image

From what I can find, this is being spread through phishing mail, but once it is in a network, it seems to have some other forms of infection if I am reading the Telefonica stories correctly, but none are exactly specific about that. Best Security Search has a bit more detail on this, and instructions for removal. Our own in-house security expert thought that it is mapping file shares on the infection and copies to those. There are also some indicators that it is using RDP connections to spread to connected devices which is allowing it to spread extremely quickly.

One of the main strategies that malware operators use is associated with sending phishing spam emails. The criminals typically employ body text, graphics and content that appears to be sent from a well-known and legitimate user, individual, company or government institution. Depending on the type of infection, WannaCry virus may either be attached directly, hyperlinked or downloaded via a script download. This is usually achieved by attaching various documents which may appear to be of user interest such as invoices, letters and etc. When the users interact with them a malicious macro or other type of script downloads WannaCry virus from a remote server and infects the local computer.

Another possibility is the use of hacked or hacker-controlled web sites, portals and malicious ads. They typically spread spam and viruses disguised as free or trial versions of popular software آ– applications, games, utilities or patches. Malicious ad networks also serve this role while at the same time generate income for the operators.

It does not look to be a quick fix however.

WARNING! Manual removal of the WannaCry ransomware virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.

Be careful on what you click on. As I was typing this up, it was reported that NHS hospitals across England are dealing with multiple infections as well.