There are also a number of other names for the basic attack which is called Wanna (i.e. WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r). It encrypts files and changes the extensions to: .wnry, .wcry, .wncry and .wncrypt. The malware then presents a window to the user with a ransom demand.
The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service and propagating through networks using the SMBv1 protocol, which Windows computers use to share files and printers across local networks.
Microsoft addressed the issue in its MS17-010 bulletin.
Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). It uses strong encryption on files such as documents, images, and videos.
Sophos issued a series of measures between the 12th and 14th May addressing this threat. Most other anti-MalWare companies had issued signatures by yesterday evening and are blocking current version of Wanna and its derivatives.
Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behaviour and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.
What to do
Please ensure all of your Windows environments have been updated as recommended by Microsoft.
The National Cyber Security Centre has published the following advice.
From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.
The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.
Home users and small businesses can take the following steps to protect themselves:
- Run Windows Update
- Make sure your antivirus product is up to date and run a scan – if you don’t have one then install one of the free trial versions from a reputable vendor
- If you have not done so before, this is a good time to think about backing important data up – you can’t be held to ransom if you’ve got the data somewhere else
The NCSC advise the following steps be performed in order to contain the propagation of this malware:
- Deploy patch MS17-010:
- A new patch has been made available for legacy platforms
- If it is not possible to apply this patch, disable SMBv1.
- and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]
If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.
Work done in the security research community has prevented a number of potential compromises. To benefit:
- Ensure that your systems can resolve and connect on TCP 80 to the domains below.
Unlike most malware infections, your IT department should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to *any* accessible server which will accept connections on TCP 80.
Antivirus vendors are increasingly becoming able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).
- Make sure policies at the perimeter of networks are blocking encrypted attachments
- During this current period of heightened threat, release of emails with encrypted attachments should not be permitted
- Verify the anti-malware solutions deployed throughout the organisation have a signature, or detection string, for WannaCry
- Verify that ALL endpoints, including portable devices and servers, are covered with the anti-malware solution and signatures are up to date
- If one device on the network is not protected, it could be the entry point and then the SMB vulnerability could be exploited across the network and compromise ALL other computers not patched
- Warn all users of the risks of opening unexpected attachments, no matter how legitimate it might look
- Given the publication of the exploit code recently, it was only a matter of time before WannaCry appeared to exploit the vulnerability. It is a fairly safe bet that there will be multiple new variants of WannaCry appearing in the short term. This will require new signature updates. This will be a continuous cycle – an arms race…..
- The initial vector of compromise will likely change as well – expect methods other than encrypted zip files as attack vectors
- The following are the current known file extensions that are used when a file is encrypted. Where an organisation can alert on, or block the creation of, files of this type, please implement immediately. Microsoft File Server Resource Manager (FSRM) can apply these filters.
All existing recommendations to limit the threat of Ransomware still apply, especially the prohibition of use of privileged accounts to access email and Internet services.
Having an effective back-up and Disaster Recovery strategy is a crucial defence along with educating Users, promptly applying patches and using professional anti-malware.
I confess. I used to be a Cloud sceptic. I was concerned that the potential downsides, particularly concerns about privacy and cost outweighed to upside.
I believe that the situation today has changed significantly. These risks remain but the cloud environment has become a lot more competitive. Competition has brought with it a far greater range of suppliers, differentiation between Personal and Enterprise Cloud solutions, including where they locate their cloud infrastructure and how they handle data. I think that there is also now less likelihood that users will be locked into their cloud provider who then has the potential to ramp up charges.
On the upside, the Cloud offers start-ups and smaller enterprises the opportunity to access computing, communications and other IT resources without major capital investment that would have been far beyond their wildest dreams only a few years ago. Instead, Cloud providers have embraced the ‘Pay-As-You-Go’ model, frequently coupled with little or no long-term contractual commitment. Similarly, the opportunity exists to further limit costs by only paying for the resources consumed. So, if you want an off-site back-up facility, you can pay by the GB used per month. No need to commit upfront and pay for fixed blocks of TBs of storage and no need to buy and run backup servers on-site. Similarly, if you want to host your office file server in the Cloud but are happy to restrict availability to 7:00 am to 7:00 pm Monday to Friday, then you can reduce your monthly running costs by 60% compared with 24/7 availability.
So, what are the risks? Privacy remains an issue and you should be very wary of contemplating using a ‘free’ Cloud service targeted at Consumers. The free lunch rule applies here! If a service is free at the point of use, how is it being funded? Often this will be by the service provider extracting value from the data that you entrust to it. For example, by using the information to target advertising. If your business communications and information are being scanned and monetised by a service provider, what are the consequences for the Confidentiality of your and your customer’s data?
Furthermore, Legislative issues can arise relating to where the information is stored and processed, and particularly if it leaves the EU. There can also be issues relating to whether another nation might claim jurisdiction over your data because of the country of domicile of the service provider.
In mid-December, President Obama announced a number of new Cyber Security measures. In late January, I was in the audience for the 50th Appleton Lecture, organised by the IET, at which James Quinault CBE spoke about ‘Cyber Security: why we should be worried and what can we do about it’. In late January, on a much grander scale – and unfortunately I wasn’t there in person to listen to the great, the good and the wealthy, Cyber Security was a really hot topic in Davos at the World economic Forum. In early February, there was an article on the BBC website titled ‘Cybersecurity: Defending ‘unpreventable’ cyber attacks’. Finally, I was back in London again last week for a seminar on ‘Cyber Security for Industrial Control Systems’.
There are some strong emerging themes from these diverse sources: firstly, that cyber-attacks are not just something that happen to celebrities and big-businesses; secondly, that the attacks emanate from a variety of sources with varying degrees of sophistication and widely differing objectives and last but by no means least, that this is not just a technology issue. We, the people and our behaviour, are critical to minimising the likelihood of an attack succeeding, the damage done by the attack and the ability to recover afterwards. These are all themes that I hope to return to in more detail in later posts.
Having thought more about this, it appears to me that the digital revolution is following a pattern of development that is not too dissimilar from previous technological revolutions, specifically, that we often don’t notice the turning point until sometime after it actually occurred; that the technology has gone from something known about and understood by a relatively few ‘experts’ to something taken for granted by many; and that following the initial honeymoon of the technology being developed and utilised for the good of humanity, it becomes commercialised, commoditised and ultimately criminalised.
The reality is that we can’t turn the clock back, the revolution isn’t going away. Like fire, the wheel, gunpowder, internal combustion engines and genetic engineering, we need to learn to live with the upsides and the downsides.
We’ve moved through Industrialisation and Globalisation. Now we’re in to Digitalisation. We’ve progressed from simple ping-pong video games and emails through Web2.0 and are now on the brink of the ‘Internet of Things’. Although, there has been tremendous adoption of digital technology over the past 50 years, there is still plenty more to come.
In the new paradigm, the world is digital, our enterprises need to reflect this.
In amongst all this change and uncertainty the important thought to hold on to is that the Digital Revolution is full of opportunity. Creating opportunities to do new things and to do old things better. Doing nothing is not a viable long-term option. If you are starting-up, then you have a wonderful opportunity to start as you mean to go on without being weighed down by baggage from a previous era. If you are an established enterprise, now is the time to seize the initiative and change because you want to, not because you have your back to the wall and have to.
So, assuming that you are in the majority and are one of the good guys, what should you do? My view is not to hold back – do whatever it is that you believe will enable you to move forward, improve your operations or deliver new services. Promote your enterprise on-line, embrace the cloud, network your building or industrial control systems, proceed at speed – albeit with a degree of caution. It’s a bit like crossing a busy road in a town or city– fraught with danger but provided that you have good reason to get to the other side, understand the risks, take precautions and behave sensibly, it is eminently do-able!
Once you have accepted the likelihood of an attack on your digital enterprise being quite high, you can begin to think through how you intend to manage the risks and consequences. Although Cyber Security sounds scary, in reality, it has much in common with other accepted areas such as financial or Health & Safety risks – these are issues that the majority of enterprises are now familiar with, albeit that you might want to invite external experts to help you work through the detail.
As with managing most risks, adopting a multi-faceted approach is likely to be more successful than relying on a single line of defence. The first step should be to understand what it is that you are trying to protect, why, and what are the threats. It is important to remember that threats to your digital enterprise don’t just emanate from hackers and criminals. Data loss due to human error, a natural disaster or equipment failure should also be included in your deliberations. An important concept here is that of resilience – what can be done to make the enterprise capable of surviving a security breach or an information loss. For some enterprises, the impact of information loss or a security breach may be low, whereas for others there may be serious legal or commercial consequences that could, in-extremis, jeopardise lives, destroy your business and/or result in personal liability.
To manage this, the approach should be to:
- Identify the risks
- Assess their potential severity and probability of occurrence
- Establish a strategy*
- Develop a Plan
- Implement the Plan
- Review** and Evaluate
*Classic risk-management involves deciding upon one of four fundamental strategies Accept, Avoid, Reduce or Share (There are a variety of alternative ways of expressing these options such as Retain, Eliminate, Mitigate or Transfer, but the principles are essentially similar).
**It is important when reviewing, not just to review progress against the plan but to also periodically go back to the first stage of risk identification since in a fast moving world, the goalposts have a habit of moving without you noticing!
As a parting thought, don’t think of Cyber Security as a bolt-on to your enterprise or an added cost. Instead, think of Cyber as representing opportunity and Security as an integral part of your enterprise and as fundamental to its success as the People, Products, Processes, Quality, Safety and, of course the money!