UPDATE: WCry Ransomware
The WanaCrypt malware continues to garner heavy attention and be a concern for organizations across the world. While it continues to be a threat, much of the spread appears to have been contained as security researchers and engineers have identified how it propagates and its infection vectors. Companies have been patching against Microsoft Bulletin MS17-010, indicators and signatures have been published and pushed out to security products, and researchers have identified “killswitch” domains (which are unregistered domains used by malware to detect if it is trapped in a sandbox and then deactivates the malware) and registered them as a simple way to make the malware unfunctional. Microsoft has also issued patches for previously unsupported operating systems XP and Windows2K.
The initial intrusion vector of how the WanaCrypt gains initial access is still unclear. However, one victim reported that they were infected via a phishing email — a common intrusion vector for ransomware.
What makes WanaCrypt even more dangerous is that it could also worm across the Internet, not just an internal LAN, looking for systems that are vulnerable to a Microsoft Windows vulnerability affecting the Server Message Block protocol (SMB). It has this capability due to the latest WCry version using the EternalBlue exploit allegedly developed by the NSA and released to the world through the ShadowBrokers hacking group.
A critical development in this malware that was discovered over the weekend was the fact that WanaCrypt 2.0 also installs the DOUBLEPULSAR backdoor, associated with EternalBlue, that could allow remote access. Thus, the hackers have multiple ways to hurt you:
- First, and the known obvious threat, is the ransomware encrypting your files and forcing you to pay a ransom to get them back.
- Second, the installation of a backdoor may result in not only your files being encrypted but copies stolen by the hackers.
- Third, an undiscovered backdoor could allow a hacker to access your network at a later date once it is assumed all is well and back to normal. It should be mentioned however, that there is no indication of remote access or data exfiltration associated with WanaCrypt at this time. Nevertheless, the technology for such behaviors are included in the malware.
Infection of this Ransomware would have a major negative effect on impacted systems and prevent any files from being accessed or used. As such, any critical files residing on that device would be inaccessible.
For Organizations currently unaffected:
- If not already done, apply Microsoft Patch MS17-010. This completely prevents infection.
- Verify that your anti-virus, endpoint protection, IDS/IPS, etc. are up to date and have deployed signatures to detect. It appears that nearly all major vendors have a rule developed and deployed.
- If files are backed up or stored on a network share, ensure that the backup location or share is not infected. We recommend wiping and restoring the affected system.
- If files are not backed up, follow applicable corporate policy.
- Due to the backdoor technology built in, perform an incident response to determine if a backdoor remains, data has been lost, and/or to what extent the malware pivoted through your network.
Long-Term Ransomware Protection
- Develop a security policy and procedures for handling Ransomware
- Do not store important files on local systems.
- Employ a Disaster Recovery and Business Continuity Plan that includes data backup and restoration procedure
Tags: WCry, wcry, ransomware, wanacrypt, wanacry, malware, campaign