WannaCry Ransomware: Dangerously Different
Friday, May 12, 2017, will be remembered for what was the largest ransomware attack in internet history. The world watched as critical systems were affected by a piece of ransomware called WannaCry or Wcry for short. By the time the dust settled, more than 200,000 computers in 150 different countries were infected by WannaCry ransomware.
Thanks to a security researcher named MalwareTech, a kill-switch was discovered that effectively stopped Wcry from spreading further. But, is it over?
As the weekend ended, the fear, when people returned to work to power on their computers, was that the WannaCry Ransomware would again begin spreading. In addition to this, there is a strong possibility that new versions of either Wcry or another similar piece of ransomware will show up without the kill-switch available and cause another widespread infection.
Let’s take a quick look at how Wcry is spreading. For this, we need to turn back in time a bit to the Shadow Brokers’ release of NSA exploits back in April, specifically to one named “EternalBlue”, which we explained in a previous blog. “EternalBlue” attacks a vulnerability in SMBv1, allowing a malicious person to remotely execute code on the victim’s computer. It seems that Wcry’s authors are using this vector as the initial entry into a computer where the ransomware is then delivered and executed, infecting the machine. Once a machine is infected, Wcry then looks at other computers on the network to infect. This method of propagation is what allowed Wcry to infect so many computers in a relatively short amount of time.
In March, Microsoft released security update MS17-010, which addresses this SMB vulnerability. At that time, the patch was only available to current versions of the Windows operating system, so anyone who was using Windows XP, Server 2003, or Windows 8 was still vulnerable. Because of the widespread infection of Wcry, Microsoft revised their policy to support end-of-life software and released patches for those operating systems on Friday.
So, how should people protect themselves? In addition to the tips my colleague, Rick Cantrell, gave in his blog, here are a few to protect your personal computers, as well as those in a corporate environment:
• If you can’t patch a system due to legacy software, disable SMBv1 and segregate those devices from other systems on the network. Microsoft’s support article 2696547 details how to disable SMBv1.
• Do not expose SMB ports to the internet (TCP 445, 139); properly configure your perimeter firewall rules.
• Have known good backups; it isn’t enough to just do a backup; perform regular restore tests to make sure you can recover your files.
There will almost certainly be copycat actors who will release new variants of WannaCry Ransomware, so always remain vigilant. Stay safe!