What the hell happened?
On May 12, 2017 multiple organizations were hit by crypto-ransomware called WannaCry. Infected users are unable to use their machines and their files get encrypted until they pay a ransom of up to $300 in Bitcoin. The ransom note in WannaCry though claims that if you are “too poor to pay” the ransom, they will unlock your files for free…after 6 months.
How is this even possible?
F-Secure Labs has warned about the exponential growth of ransomware and the dangers of government surveillance tools unleashed into the wild. WannaCry seems to combine the worst of the dangers implied by both warnings.
Who has been hit?
A huge number of organizations have been impacted, along with considerable amounts of public infrastructure. This is a global outbreak for which we got reports from more than 60 countries. It has hit healthcare organizations, as well as telcos, gas and electric companies. For example, the National Health Service in England was one of the most affected organizations, with hospitals closed and surgeries postponed.
According to F-Secure Labs, the most affected countries are Russia and China, then France, Taiwan, US , Ukraine and South Korea.
How big is it?
Mikko Hypponen, our chief research officer, called it “the biggest ransomware outbreak in history” in terms of infections. But as of Saturday morning, the day after the outbreak, it had only made a measly $25,000, according F-Secure Labs’ Andy Patel.
“The spread of WCry was slowed by the actions of an ‘accidental hero’ who registered a ‘killswitch’ domain name he found in the code,” Andy noted. However, we’re not out the woods yet. “It only takes a small edit of that code, and a re-release to get the thing spreading like wildfire again.”
Why is this so big?
WannaCry exploits a flaw in the Server Message Block (SMB) in Microsoft Windows which can allow for remote code execution. Microsoft patched the vulnerability in March already (MS17-010), however many IT environments are still behind on patches and/or may run legacy operating systems such as XP which are no longer supported nor updated with security patches. There are also a large number of machines running pirated copies of Windows (especially in China and Russia) which, by their nature, do not receive official updates and so put the machines at risk.
Due the size of the outbreak, Microsoft provided a patch yesterday for XP and Server 2003.
What could have prevented it?
The size of the outbreak is indicative of the number of machines out there which have not been patched with security updates. There could be three reasons for this – the patch was made available in March, but they haven’t installed it yet for some reason, they are using a pirated copy of Windows (and so don’t receive security updates that legitimate customers do) or they are running Windows XP which is no longer supported and doesn’t receive updates.
How to prevent it? Keep your software updated.
Why does it spread so fast?
It’s spreading fast because the MS17-010 vulnerability allows the exploit to act as a “worm”. And worms spread fast by nature. WannaCry has worm functionality and is able to scan and locate other hosts and replicate itself to other exposed machines via the EternalBlue vulnerability. This doesn’t require any user interaction. Claims that it was initially distributed via spam have not yet been verified.
Worm or trojan?
WannaCry is not an Internet worm. It’s a trojan with worm-like once it’s on a network.
So why does it feel so familiar?
“This is a blast from the past as this kind of ransomware isn’t anything new,” said Sean Sullivan, F-Secure security advisor. “For far too long, organizations have been ignoring basic firewall hygiene which is why WannaCry has gotten out of hand so easily.”
Am I protected against this threat?
Customers are protected with F-Secure’s advanced endpoint protection that offers next-generation technology. F-Secure’s Deepguard functionality provides host-based behavioral analysis and exploit interception that proactively blocks ransomware such as WannaCry.
Organizations should make sure they have a properly configured firewall and have the latest Windows security updates installed, in particular MS17-010, to prevent spreading. F-Secure Software Updater helps companies to identify and patch third-party systems.
Can I recover the encrypted files?
Decryption is not available at this time, encrypted files should be restored from back-ups where possible.
Where did it come from?
It’s crimeware, much like other ransomware, but…It takes advantage of a vulnerability that became known due to tools developed by the NSA. Tools that were included in a dump by The Shadow Brokers (attributed as being Russian) in April this year.
Is this a targeted attack?
No, this is not a targeted attack. Ransomware campaigns are typically indiscriminate.
Any good news?
We know this is crimeware. It is not an enemy state or terrorist group behind this. Victims can pay to regain access to their machines, which a more malicious attacker might not give as an option.
How do we protect you against the WannaCrypt?
F-Secure endpoint products proactively prevent all in-the-wild examples of the WannaCry ransomware. We have detected the ransomware since its inception, meaning that all F-Secure endpoint customers are protected.
F-Secure endpoint products offer protection against WannaCrypt on three layers to ensure that the attack can be stopped in multiple points during the attack chain.
- Our integrated patch management feature, Software Updater, prevents WannaCrypt from exploiting of the EternalBlue vulnerability by automatically deploying the related security patches.
- F-Secure’s DeepGuard functionality provides host-based behavioral analysis and exploit interception that blocks WannaCrypt.
- F-Secure’s Firewall prevents WannaCrypt from spreading laterally in the environment and encrypting files.
I’m a F-Secure customer, what should do?
- Ensure DeepGuard and real-time protection is turned on in all your corporate endpoints.
- Identify endpoints without the Microsoft issued patch (4013389) with Software Updater or other available tools.
- Patch it immediately with Software Updater or other available tools.
- In case you are unable to patch it immediately, we recommend to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 in order to reduce attack surface
- Configure the firewall properly
- Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems.
- If possible, block 445 inbound to all internet-facing Windows systems.
- Alternatively, you can set F-Secure Firewall policy to its highest setting, which has predefined rules to block the attack.
What are best practices for protecting against ransomware?
Here are our TOP 5 tips to keep your devices clear of ransomware:
Make sure you’re running a robust security solution that covers all your devices (PCs, Macs, smartphones, and tablets) and provides protection. F-Secure endpoint protection protects against all the known ransomware threats that are out there, and it can block brand new zero-day threats as well. As new ransomware variants keep popping up lately, this is important.
Take regular backups of your data. Store the backups offline, so that they can’t get infected. And test restoring them from time to time to make sure that they really work. With good backups, if you do get hit, you can get back on your feet faster without having to fork over cash to the criminals.
Keep the software on all your devices up to date to prevent exploits. If you are uncertain how to keep everything up-to-date, you may consider utilizing a tool that identifies old software versions and suggests updates.
Be extra careful with email attachments, especially with ZIP files and Office documents (Word, Excel, and PowerPoint). Don’t open email attachments that are sent by someone you don’t know. Also disable macro scripts from any Office files you receive via email.
Limit the use of browser plugins. Disable commonly exploited ones, such as Flash Player and Silverlight, when you’re not using them. You can do this through your web browser under the plugin settings.
So is this really about the problems with patching, intelligence agencies hoarding exploits or what?
But this also really about our growing dependency on technology and the vulnerabilities inherent in that. And it’s about how this dependency is happening faster than our preparations to secure our systems.
What’s does this look like in real life?
Is this the worst-case scenario?
“This is not the worst-case scenario,” Sean Sullivan said. “The silver lining is that this wasn’t a destructive terrorist or nation state attack. Because it was profit-driven, it was designed to be undone upon payment and therefore there may be a chance to recover. However, this is a huge proof of concept for nation state actors that want to do something that might not be recoverable.”