Live incident blog: Global Ransomware outbreak

NCC Group has been contacted by a number of clients this afternoon about widespread Ransomware outbreaks.

Incidents are affecting a number of sectors, notably the NHS as widely reported in the UK media: http://www.bbc.co.uk/news/health-39899646.

What is known?

  • Machines are being infected with WanaCrypt0r 2.0 (previously versions were known as WCry and WannaCry).
  • Attacks are being carried out in part using tools/code from the recent Shadow Brokers dump, notably the ETERNALBLUE exploit which is addressed in MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
  • Payment is demanded in Bitcoin. Reported values are $300 (£230) per infected machine.
  • Public reporting suggests incidents across a number of sectors, nationally and internationally, including the NHS. 
  • It downloads Tor from dist.torproject.org over SSL/TLS.

Preventing infection

System administrators and security teams should apply best practices, including:

  • Ensuring that all systems are fully patched
  • Preventing access to services such as RDP and SMB on internet facing computers
  • Disabling outdated protocols including SMBv1
  • Updating outdated operating systems with MS17-010 including XP, Windows Server 2003 and Windows 8 with newly released patches from Microsoft: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  • Isolating unsupported systems where possible with further security controls

Infection vectors

NCC Group’s Fox-IT team has identified the following infection vectors - https://blog.fox-it.com/2017/05/12/massive-outbreak-of-ransomware-variant-infects-large-amounts-of-computers-around-the-world/

One of the confirmed infection vectors is the usage of the ETERNALBLUE exploit directly on machines which have SMB directly exposed to the internet.

The other - at the moment unconfirmed - infection vector appears to be:

  1. An e-mail containing a link or a PDF file with a similar link which retrieves a .hta file. For example: hxxp://www.rentasyventas.com/incluir/rk/imagenes.html?retencion=081525418
  2. The .hta file retrieves a payload, which will retrieve or install the malware. For example: hxxp://graficagbin.com.br/loja/q.hta

Fox-IT is still in the process of verifying the initial infection vector.

Detecting potential malicious activity

Technical defenders can use intrusion detection rules to detect this activity. Customers of NCC Group’s managed network threat monitoring are already covered by rules for ETERNALBLUE exploit attempts.

If a machine is suspected to be infected then removal from the network should be a key consideration, depending on business impact to prevent further infection.

What else should you do?

  • Customers in the healthcare sector should follow national guidance, including advice from the NHS and National Cyber Security Centre (NCSC).
  • UK customers with access to the Cyber Information Sharing Platform (CiSP) should check it regularly for updates.
  • NCC Group customers requiring further advice or information should contact our 24/7 incident response line on +44 (0)161 209 5148.

FAQs

NCC Group’s Fox-IT team has published an FAQ about the Ransomware outbreak: https://blog.fox-it.com/2017/05/13/faq-on-the-wanacry-ransomware-outbreak/

Published date:  12 May 2017

Written by:  David Cannings

comments powered by Disqus

Filter By Service

Filter By Date