Summary of Events: WannaCry/WannaCrypt, the Ransomware Attack Spreading Globally

A massive malware attack is spreading globally, which has already hit the National Health Services hospitals in and around England as well as hundreds, possibly thousands, of other major organizations.  Telefonica, FedEx, and Gas Natural are a few notable firms that have been hit with this crippling strain of malware/ransomware.

Hacked: Telefonica, National Health Services, FedEx and more

Hacker: Unknown/Various

Malware/Virus Name: WannaCry, WCry, Wanna Decryptor, WannaCryptor 2.0, WannaCry 2.0

Affected Systems: Unpatched Windows Operating Systems

Size and Scope: 300K+ machines in more than 150+ countries reported being affected.  The ransomware is rapidly spreading globally.

Immediate Action: Ensure Windows Operating Systems are updated with the MS17-010 patch: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Microsoft Security Bulletin: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

Timeline of events

Friday, 05/12/17

  • WannaCry is a  rapidly-spreading ransomware/malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.
  • Machines running unpatched Windows Operating Systems have been infected by a strain of ransomware that encrypt the user’s data and require $300 in Bitcoin payment to decrypt the user’s data
  • The original strain of ransomware is known as WanaCrypt0r 2.0 (formerly known as WannaCry, Wanna Decryptor, WCry).
  • Once connected to a network, other machines connected to the same network can quickly become infected causing rapid spreading of the malware
  • The malware attempts to connect to a domain name hidden in the code, which is responsible for WannaCry’s rapid global spreading.  If a connection to the domain fails, the SMB worm proceeds to infect the system.
  • The original tool was allegedly built by the NSA, which was leaked by a hacking group known as the Shadow Brokers
    • The SMB exploit has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by the hacking group “The Shadow Brokers” in April.
    • The Shadow Brokers released hacking tools and exploits that target earlier versions of Windows operating system, along with evidence that the Intelligence agency also targeted the SWIFT banking system of several banks around the world. (read more from our friends at hackernews: http://thehackernews.com/2017/04/swift-banking-hacking-tool.html)
  • The Windows patch that prevents this infection was released in March by Microsoft (patch info below)

Saturday, 05/13/17

  • In an uncommon move this weekend, Microsoft built and released patches for the unsupported Windows operating systems (XP, Server 2003, etc.) due to the widespread, global nature of the ransomware.  Each Windows OS patch and link can be found below in the “What do I Do?” section.
  • A “killswitch” was found by a security research which prevented the attack from spreading further by registering the domain name (see above) found in the code, causing a “sinkhole” – that is, redirecting traffic from the infected machines to a self-controlled system.
  • WannaCry 2.0 has already been found, using a different domain name to continue the spread of the malware.

Sunday, 05/14/17

  • Security Experts are already seeing new strains of the malware, dubbed WannaCry 2.0, without the “kill switch” descirbed above.  The malware is expected to continue to spread through Monday.
    • PCIBlog.org will be sending critical updates to its subscribers as they hit

Example of WannaCry Infection

What Do I Do?

  1. Immediately patch all unpatched Microsoft operating systems (link below for all OS types)
  2. Consider disabling SMB V1
  3. Update anti-virus and anti-malware definitions.  Most anti-virus and anti-malware firms have released updated definitions to detect and protect against the WannaCry malware strain.
  4. If you do not have anti-virus or anti-malware software installed, enable Windows Defender.  Steps to enable Windows Defender, which is a free program, can be found here: Enable Windows Defender.
  5. Ensure systems are being backed up and are being backed up offline.  Offline backups are backups that are being stored separately from your machine.  If you’re backing up your hard drive offline, an infected Operating System will not be able to encrypt the offline backup.
  6. Review Microsoft’s post on the WannaCry malware strain here:  WannaCry attacks and the detailed writeup by Troy Hunt here.

About PCI Blog 504 Articles
PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.

Be the first to comment

Leave a Reply