Live incident blog: Global Ransomware outbreak
NCC Group has been contacted by a number of clients this afternoon about widespread Ransomware outbreaks.
Incidents are affecting a number of sectors, notably the NHS as widely reported in the UK media: http://www.bbc.co.uk/news/health-39899646.
What is known?
- Machines are being infected with WanaCrypt0r 2.0 (previously versions were known as WCry and WannaCry).
- Attacks are being carried out in part using tools/code from the recent Shadow Brokers dump, notably the ETERNALBLUE exploit which is addressed in MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
- Payment is demanded in Bitcoin. Reported values are $300 (£230) per infected machine.
- Public reporting suggests incidents across a number of sectors, nationally and internationally, including the NHS.
- It downloads Tor from dist.torproject.org over SSL/TLS.
System administrators and security teams should apply best practices, including:
- Ensuring that all systems are fully patched
- Preventing access to services such as RDP and SMB on internet facing computers
- Disabling outdated protocols including SMBv1
- Updating outdated operating systems with MS17-010 including XP, Windows Server 2003 and Windows 8 with newly released patches from Microsoft: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- Isolating unsupported systems where possible with further security controls
NCC Group’s Fox-IT team has identified the following infection vectors - https://blog.fox-it.com/2017/05/12/massive-outbreak-of-ransomware-variant-infects-large-amounts-of-computers-around-the-world/
One of the confirmed infection vectors is the usage of the ETERNALBLUE exploit directly on machines which have SMB directly exposed to the internet.
The other - at the moment unconfirmed - infection vector appears to be:
- An e-mail containing a link or a PDF file with a similar link which retrieves a .hta file. For example: hxxp://www.rentasyventas.com/incluir/rk/imagenes.html?retencion=081525418
- The .hta file retrieves a payload, which will retrieve or install the malware. For example: hxxp://graficagbin.com.br/loja/q.hta
Fox-IT is still in the process of verifying the initial infection vector.
Detecting potential malicious activity
Technical defenders can use intrusion detection rules to detect this activity. Customers of NCC Group’s managed network threat monitoring are already covered by rules for ETERNALBLUE exploit attempts.
- Emerging Threats signature ID 2024220 can be used to detect ETERNALBLUE activity.
- Looking for outbound connections to dist.torproject.org.
- Customers of Cisco’s VRT feed can review signature IDs on the Cisco Blog (link to: http://blog.talosintelligence.com/2017/04/shadow-brokers.html).
If a machine is suspected to be infected then removal from the network should be a key consideration, depending on business impact to prevent further infection.
What else should you do?
- Customers in the healthcare sector should follow national guidance, including advice from the NHS and National Cyber Security Centre (NCSC).
- UK customers with access to the Cyber Information Sharing Platform (CiSP) should check it regularly for updates.
- NCC Group customers requiring further advice or information should contact our 24/7 incident response line on +44 (0)161 209 5148.
NCC Group’s Fox-IT team has published an FAQ about the Ransomware outbreak: https://blog.fox-it.com/2017/05/13/faq-on-the-wanacry-ransomware-outbreak/
Published date:  12 May 2017
Written by:  David Cannings