On 12 May, 2017 a new variant of the Ransom.CryptXXX family (detected as Ransom.Wannacry) of ransomware began spreading widely, hitting a massive number of businesses and governments, including thousands in Asian countries such as China, Hong Kong, and Japan, and is likely to keep spreading.
The South China Morning Post reported that in China almost 30,000 organizations were affected, with universities being attacked most.
In Hong Kong, companies had been attacked 48 times on average from seven countries since Friday, reports the Post, citing Network Box Corp, an internationally managed security services provider that protects 1,700 key Hong Kong organizations from cyberattacks.
Japan's National Police Agency reported two breaches of computers in the country on Sunday - one at a hospital and the other case involving a private person - but no loss of funds, reports Reuters.
Industrial conglomerate Hitachi Ltd. said the attack had affected its systems, preventing workers from receiving and sending e-mails or opening attachments in some cases.
Demands ransom payment in the form of Bitcoin
WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows.
“This ransomware is being referred to by a number of names, including WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r,” wrote Aamir Lakhani, Senior Security Strategist, Fortinet, in a blog post.
Lakhani said affected Microsoft products include: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, Windows Server 2016, and Windows Server Core installation option.
Microsoft released a critical patch for this vulnerability in March in Microsoft Security Bulletin MS17-010.
According to Cisco Talos, the malware has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them and then demanding a ransom payment.
It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.
Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware.
This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.
WannaCry does not appear to only be leveraging the ETERNALBLUE modules associated with this attack framework, it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry.
In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.
What to do
So what do you do if you receive the WannaCry ransomware message?
“Once the encryption process starts, there is little the user can do, as it happens very quickly,” says Nick Savvides, Security Advocate, Symantec Asia Pacific and Japan.
Savvides noted that it is unlikely that the user will notice the ransomware is encrypting until it’s too late.
If the user realizes in the seconds after running the malware, they may attempt to power off the machine, then use an external boot disk to boot the machine and run a cleaner tool like Norton Power Eraser. This may prevent the ransomware from encrypting all the files.
“Any computer that has been infected should not be trusted,” adds Savvides. Savvides adds that tools like Norton Power Eraser, or Norton Internet Security may be able to remove the infection but the files will still be encrypted. He notes that it is always best to restore the computer either from a backup, or reset to factory using a recovery disk and then immediately update and apply all patches.”
“These are important steps, as we have seen ransomware, that not just ransoms the users’ files, but also installs banking Trojans to clean out the users’ bank accounts, typically capturing the users’ banking details when they log into their bank to pay the ransom. If the back-ups were not encrypted by the ransomware, it is unlikely that the files were infected.”
Savvides emphasized that paying criminals is never recommended, as it feeds them and rewards them for their crimes. “There is also no guarantee that your files will be released back to you.”
Cisco Talos also notes that organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.
Rising number of attacks
The average ransom per victim grew to $1,077 in 2016, up from $294 in 2015 (266% increase). Ransomware attacks grew to 463,841 in 2016, up from 340,665 attacks in 2015 (36% increase).
More than 70 percent of malware attacks on the healthcare industry were ransomware in 2016, including hospitals, pharmacies and insurance agencies.
1 in 131 emails contained a malicious link or attachment in 2016 – the highest rate in five years.
There was a two-fold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average device was attacked once every two minutes.
Best practices for protecting against ransomware
- Always keep your security software up to date to protect yourself against them.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
- Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
- Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.