WannaCrypt Ransomware Information

This page was last updated at 11:30am on the 13th of May 2017

Background

On the 12th of May 2017 a new variant of Ransomware began spreading across networks. Initially reported as targeting health services it quickly became clear the threat was not confined to the healtcare sector and was rapidly spreading to organisations in all sectors and in many different countries. At this time the threat appears to be contained but is far from over. There remains a strong possibility that a new variant of this malware or an entirely new strain of malware utilising the same techniques will emerge over the coming days.

The information on this page is intended to help individuals understand the threat and IT administrators understand how to defend against it. We will update this information as and when we become aware of significant developments.

 

Information for End Users

Can't I Just Pay the Ransom And Get My Files Back?

2017-05-06 11:04:00

You could pay the ransom, however it is not easy to do so - the criminals behind this scam demand payment in Bitcoin, an electronic currency not readily available. In addition, there is absolutely no guarantee that paying the ransom will allow you to recover your files. You are dealing with criminals, there are many reported instances of people paying the ransom and not receiving the decryption key.

Your best option is to reformat your computer and restore your files from a backup taken before the attack took place.

How Can I Avoid Getting Infected With The WannaCrypt Ransomware?

2017-05-13 10:54:00

The best way to avoid infection is to follow good practice when dealing with e-mail & using your computer.

  • Do not open attachments you are not expecting.
  • Do not click on links embedded into e-mail messages.
  • Always check the sender information carefully - email may not always be from who you think it's from!
  • Do not visit personal websites (for example webmail - hotmail, yahoo etc.) from work computers.
  • Make sure you are running up to date anti-virus. Contact IT support if you think your anti-virus is missing or out of date.

How is the WannaCrypt Malware Spread

2017-05-13 10:47:00

Primarily this malware spreads by e-mail. It is most frequently found as a link embedded within the message, when you click on the link your computer becomes infected with the malware. Once one computer on a network is infected the infection can rapidly spread to other computers on the same network without your knowledge. This makes WannaCrypt a much more serious threat than other types of Ransomware have been.

What Does the WannaCrypt Ransomware Do?

2017-05-13 10:51:00

Once your machine is infected the WannaCrypt Ransomware will rapidly encrypt all the files on your computer, preventing you from opening them. It will also attempt to encrypt all files on any network shared drives you have access to and on any USB sticks or external storage devices it can find. Once the encryption process is finished it will display a notice demanding money to decrypt the files.

What Should I Do If I Think I May Be Infected?

2017-05-13 10:58:00

If you accidentally click on a link or open an attachment and think you may have become infected with the WannaCrypt ransomware you must act as soon as possible - do not wait for the warning message to appear on screen. If you wait until the message appears on your screen it is already too late - your files are encrypted by that point and may not be recoverable!

  • Switch off your computer at once. For desktop PC's, simply unplug the power cord. For laptops, hold down the power button until the laptop switches off. Do not perform a normal shutdown - this give the Ransomware additional time to damage your files!
  • Contact your IT support team at once for help.
  • Do not switch your computer back on until you have been told it is safe to do so. If you do, the damage may worsen and could potentially spread to other machines in your office.

Information For IT Professionals

Can I Detect Or Block WannaCrypt?

Yes, to a certain extent. Most anti-virus utilities are now detecting WannaCrypt as malware and blocking it's installation. Many commercial mail filtering services are likewise detecting and blocking infected attachments and mail containing links to known distribution points. Note that if you are using Office365 for e-mail, link scanning is NOT enabled by default, you will need to purchase this service separately from Microsoft.

Blocking attachments is useful but is not a guaranteed way to prevent infection.

If you have an Intrusion Detection/Prevention system on your network you should update the signatures immediately, the worm has a unique signature that can be detected and potentially blocked by a properly configured IDS/IPS system.

You can (and should if at all possible) disable SMBv1 on your network. The protocol is depreciated and disabling it effectively prevents the worm from spreading across your LAN.

Microsoft have issued patches for the vulnerability exploited by EternalBlue, for all currently supported systems you should run Windows Update to obtain and install the patches appropriate to your system. If you still have Windows XP machines, an emergency patch can be downloaded from https://blogs.technet.microsoft.com/msrc/2017/05/1...

Does The WannaCrypt Ransomware Drop Any Other Viruses Or Malware?

Yes. The WannaCrypt Ransomware also infects machines with another NSA-authored vulnerability, DoublePulsar. This is a remote access trojan which allows full access to infected computers from a remote network. Detection for DoublePulsar is still quite low and many anti-virus utilities will not detect it as yet. Detection rates are increasing as more vendors add it to their signature lists.

This malware may also drop other components, including TOR, and will add itself to the windows registry to persist across system reboots (also unusual for Ransomware). There is provision within the software for it to remotely access and download additional modules at any time so the capabilities of this malware may change rapidly.

How Can I Detect WannaCrypt?

There are a number of ways to detect the presence of WannaCrypt. It is probably best detected & prevented at the edge of the network, before it gets to users PC's but there are options to detect it even at that late stage.

At the Edge - Email Scanning, Web Filtering & IDS/IPS Systems

Like most malware, WannaCrypt has certain specific characteristics that can be used to target & identify it. You can :

  • Scan e-mail from links to known distribution points or infected attachments. Most good mail filters have already been updated to do this, so if you are not using one it would be a very good time to start!
  • Scan & block access to URL's known to be associated with the WannaCrypt malware. Again, good web filtering software deployed at the network boundary should be able to detect and block access to most URL's associated with this malware. Keeping such filters up to date is vital, the distribution URL's can and do change frequently.
  • Watch for the signature 'call home' traffic all Ransomware generates. To obtain it's encryption key ransomware must communicate with a server run by the malware authors. Often these are hidden via TOR to make tracking by the authorities difficult, however this provides a relatively easy way for many admins to detect and block this class of malware. Set your firewall or IDS/IPS system to block access to TOR nodes and to alert you when such access is attempted - there are few businesses where TOR use is a daily event! By blocking this access many strains of Ransomware will be unable to obtain their encryption keys and so will fail to activate.
  • Set your IDS/IPS to detect and block the buffer overflow used by WannaCrypt to spread. This will not stop the initial infection but will limit the number of systems you will need to repair. It will also give you and early warning of an infected host being present on your network - always a worry with network aware worms & visiting laptops!
  • Deploy dedicated anti-ransomware tools to desktop PC's and servers. There are paid options from Sophos and Malwarebytes now as well as a free alternative from CyberReason. All of them have a relativly low system overhead and are very effective at detecting and stopping Ransomware infections.

How Does This Ransomware Spread And Why Is It Different?

The WannaCrypt Ransomware has three main vectors of distribution :

Email - Embedded Links
The first wave of infections are believed to have come from targeted e-mails, spear phishing, aimed at individuals within large organizations. These contained embedded links to the malware which used one of a number of exploits to install onto user's PC's

E-Mail - Attachments
There have been reports of infected attachments to e-mails being sent out in much the same way as during previous Ransomware attacks.

Network Transmission - MS17-010 (the EternalBlue vulnerability)

This Ransomware is unusual in that it actively spreads across local networks in the same way as a typical network worm. It exploits a vulnerability in the SMB v1 protocol to compromise unpatched windows systems. This is the 'EternalBlue' vulnerability developed by the NSA and recently leaked online by The Shadow Brokers. Once a machine on a network is infected it will seek out other unpatched systems on the same network and infect them, making this a particularly difficult piece of malware to remove.

Recommendations For Remediating Infected Networks

If you are dealing with a WannaCrypt infected network you will need to take aggressive measures to control the spread of the malware before attempting to clean the network.

  • Switch off all known infected machines & remove them from the network.
  • Monitor for any further signs of infection, if any are present you will need to shut down the entire network to prevent further spread of the malware.
  • Isolate all network servers, check for signs of direct infection. This is unlikely but due to the worm-like capabilities of the malware, possible. If a server is infected it will need to be completely rebuilt.
  • Once servers are clean & malware free, restore server data from backups.
  • Reformat each infected PC, update with current patches on an isolated network and return the system to production.
  • Clean your mail spool - check all mailboxes for messages containing the malware and remove them. Alternatively, if this is not practical, instruct your users to exorcise extreme care with e-mail and to delete any suspect messages unopened.
  • Update all anti-virus and mail filtering tools regularly to limit the risk of reinfection.

WannaCrypt & Networks - The Kill Switch

WannaCrypt is unusual in that it contains a network aware component which actively seeks out vulnerable machines and spreads between them without human intervention. This is based on the 'Eternal Blue' vulnerability stolen from the NSA and recently released online by Shadow Brokers. The actual vulnerability is addressed in Microsoft Security Bulletin MS17-010 and is a buffer overflow attack against the SMBv1 protocol. SMBv1 has been depreciated for some time and many networks can safely disable it.

In addition, a security researcher discovered a hidden 'Kill Switch' within the Eternal Blue exploit code that, when activated, prevents the code from spreading over networks. This kill switch, a long and seeming random URL, was activated last night and has dramatically slowed, if not completely halted the spread of the WannaCrypt worm.

While undoubtedly helpful, the presence of the kill switch should not be relied upon - it is possible and even likely that malware will emerge in the near future targeting the same vulnerability and without the 'kill switch' functionality enabled. It's best to use this as a good reason to patch, update and secure your systems as best you can - there is undoubtedly worse still to come.

What Does This Ransomware Do?

WannaCrypt will, if successfully executed on any system within your network :

  • Encrypt all local files on the machines that are infected.
  • Encrypt all files on removable storage or network shares that are accessible from an infected machine.
  • Install additional malware, including a RAT, onto all infected machines and attempt to persist across reboots.
  • Attempt to spread to multiple machines within your LAN using a vulnerability in Windows SMB networking.