Security researchers are calling the latest outbreak of ransomware the largest in history.  The malware, known as WannaCry, WCry, and WannaCryptOr 2.0, hit the Internet Friday, May 12th, and quickly tallied up infections in over 100 countries world-wide.  It’s been seen in nearly every vertical, and estimates are that the ransoms paid to date have earned the malicious actors behind the attack close to $40,000 in a couple of short days.  A second iteration of these attacks have been identified, and this iteration does not have the same “kill switch” as was found in the first iteration.

Our top recommendations are as follows—

  • Apply Microsoft’s MS17-010 to all windows systems as soon as practicable, including systems with versions of the OS under “special support.”
  • Caution all users to NOT open any links or attachments in email that appears suspicious.
  • Use content and URL filtering to restrict outbound web traffic to known safe websites if at all possible to avoid having your users reach a compromised web site
  • Consider user security awareness training for phishing email attacks that includes simulated attacks
  • Consider deploying anti-malware solutions that have detection and defensive capabilities for ransomware attacks

The malware is spread through email in what we usually refer to as a phishing attack.  The victims were enticed by the email to click on a link that directed them to a compromised website using a previously unregistered domain.  Once on the website, a payload was loaded on the victim’s computer and executed which infected the computer with an encryption routine that locked the victims out of critical files until they paid a ransom in the range of 300 dollars, payable in bitcoin.  Unlike previous iterations of ransomware, this one then spreads laterally through the victim’s network to other vulnerable machines using the tactics of a computer worm. (similar to Conficker which wreaked havoc a few years ago).

The vulnerability that made all of this possible was patched by Microsoft in March 2017 through MS17-010.  This vulnerability had been described during a WikiLeaks publication of offensive cyber tools used by the NSA in their intelligence and cyber operations earlier in the spring.  The exploitation risk is most serious for Windows 7 and earlier versions of desktop operating systems and Windows 2012 and earlier versions of server operating systems.  The patch released by Microsoft, however, applies to all versions of Windows desktop and server operating systems.  Microsoft even ventured so far as to release patches for older operating systems like Windows XP, Vista and Server 2003 that are no longer covered under general support.

It goes without saying that this is an extremely potent attack and not to be trifled with.

The attack is now in its second iteration.  Researchers in Britain and the US found a “kill switch” in the first version that involved registering the domain of the malicious web site.  As soon as that was achieved, progress of the attack slowed considerably.  As expected, though, several new variants have been released over the weekend that have either different “kill switches” or no “kill switches” at all.  The expectation of many researchers in the field is that chaos will reign Monday morning when workers return to the office and power up machines that have not been patched.

As mentioned earlier, our top recommendations are as follows—

  • Apply Microsoft’s MS17-010 to all windows systems as soon as practicable, including systems with versions of the OS under “special support.”
  • Caution all users to NOT open any links or attachments in email that appears suspicious.
  • Use content and URL filtering to restrict outbound web traffic to known safe websites if at all possible to avoid having your users reach a compromised web site
  • Consider user security awareness training for phishing email attacks that includes simulated attacks
  • Consider deploying anti-malware solutions that have detection and defensive capabilities for ransomware attacks

Techgardens is ready to assist and offer solutions to help you address these threats. Please contact us to discuss your needs.

Additional Insights from our Partners

ForcePoint

Microsoft Security

Sophos

Alienvault

FACT SHEET_ Ransomware and HIPAA

Want to understand how vulnerable your company is?

Download our Ransomware Checklist.

 

 

 

Interested in learning more about your risk? We offer vulnerability assessments to help you identify threats to your organization.