Ransomware called WannaCryptor spread rapidly around the world today, encrypting files in as many as 100 countries by using the leaked NSA eternalblue SMB exploit.
That escalated quickly! For those of you who did not read any news on Friday (or had your heads in the sand), you need to know that a massive tidal wave of malware just struck Planet Earth, creating gigantic waves in the information security sphere and even bigger waves for the victims.
The culprit? New ransomware, named WannaCryptor, but also referred to as WannaCry or Wcrypt by other security vendors and in the media, has been spreading rapidly. One reason for the speed at which this malware is spreading appears to be the way it utilizing the eternalblue SMB exploit, part of a large collection of files that leaked from America’s National Security Agency (NSA).
Fortunately, ESET clients were already protected by ESET’s network protection module. This had been blocking attempts to exploit the leaked vulnerability at the network level well before this particular malware was even created. On Friday, ESET increased the protection level for this specific threat via the Win32/Filecoder.WannaCryptor.D update to the detection engine (15404, May-12-2017, 13:20 UTC/GMT +02:00). Prior to that, ESET LiveGrid had begun protecting against this particular attack starting around 11:26AM (UTC/GMT +02:00).
Unlike most encrypting-type malware, WannaCryptor has wormlike capabilities, allowing it to spread by itself. As a result, it has spread very quickly indeed. This is what victims of the English language version see:
The story started in Spain’s telecom sector and quickly spread from that point, onward and outward. Reports of healthcare related organizations being affected in the UK began to appeared, plus various commercial websites, entire enterprise sites, and just about every type of network in between. People from around the world posted screenshots of the malware from computers in offices, hospitals, and schools. Here it is in Italian:
The worst issue that is being dealt with by victims is this: the files touched by the attack are encrypted and the attacker is the only source for the key to reverse that. This can have dire consequences, especially in the healthcare sector. Encrypted patient records, doctor’s files and other items may not be usable or accessible unless there is a good backup to restore from.
The ransom that has been demanded for decryption of the files appears to be about $300, which is actually lower than other ransomware we have seen, but the true cost will be all the time, lost files, and other collateral damage caused by this malware.
There is also another theme emerging in the wake of this outbreak: Responsibility. The exploit that is being used, eternalblue, is openly available for download from a multitude of forums. I am all for research; however, providing a well-built exploit on a public forum that can affect hundreds of thousands of active machines seems a bit much, at least from where I am sitting currently. What happened to RESPONSIBLE disclosure???
The Responsible response
Fortunately, to protect yourself against this latest threat, there is much that you can do, and you should probably get started sooner rather than later:
- Install Anti-malware Software – You may have heard this over and over, and it seems very repetitive mentioning it now. However, if I had not encountered multiple instances where I was told, “It is a server, and we have firewalls, so I will leave anti-malware off of this machine” or “I have too many problems to install antivirus on this server”, I would not mention it. But, that has happened. So, I am stating it. Please install reputable anti-malware and give yourself a fighting chance at stopping this before you are affected. For example, as noted earlier, the ESET network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware was even created.
- Update Your Windows Machines – Please! I know that patches can be very, very difficult to get deployed across the entire network. This one, you will want to install. It has been available since mid-April and actually stops the exploit from gaining a foothold in your environment. The patch listing for the entire listing of Equation Group files can be located here.
- Be Intelligent! – As a person who researches infections, exploits and various other information security related items, knowing is half the battle. Especially when items are being leaked and created in this kind of rapid-fire fashion. Using Threat Intelligence , I was able to create the appropriate YARA rules that identified the droppers, files and characteristics pertaining to the Equation Groups leaked exploitation files. There has been a LOT of detections of these objects. My dashboard lit up like a Christmas tree within the last few weeks, and I do not expect it to stop anytime soon. This kind of intel, and more importantly, the feeds that are provided, could help you to make better decisions on what to protect and how to protect it (as in apply MS patches, are they targeting MY business, etc.)
Updates & more info about WannaCryptor
There is more on the WannaCryptor threat, and ESET-specific protection strategies, in this ESET Knowledge Base article. To check on the amounts that the malicious actors have received in bitcoin funds from this outrage, you can check this link.
Update 2 – May 14: You may have seen that someone was able to ‘switch off’ the attack by registering a domain. (‘How to accidentally stop a global cyber-attack‘.) While it sounds as if this bought the world some time, it doesn’t mean there won’t be further attacks. Indeed, there are already reports of updates to the malware that don’t include a ‘kill switch’. In other words, if you still haven’t patched yet, getting patching!
Update 1 – May 13: If you have Windows XP, Windows 8 or Windows Server 2003 machines, for which no equivalent patch was made available back in March, you are in luck; unusually, due to the seriousness of the WannaCryptor outbreak, Microsoft has publicly released updates for those OS versions. These updates would normally only be made available to those on custom support agreements that allow them to continue to get updates for OS versions no longer publicly supported. If you have such systems but they cannot be updated for regulatory or compliance reasons (for example), then carefully consider how to isolate those machines from the network long-term.