WCry Ransomware Campaign

For the past week, a self-propagating worm has held both critical data and the public's attention captive around the globe as reports rose of widespread outbreak, spanning several continents, of the WCry ransomware. What makes this particular attack so threatening is not just the ransomware encrypting sensitive files on compromised computers, but the effectiveness of the worm targeting Server Message Block (SMB), the core Windows protocol that allows file and printer sharing. News outlets have reported that WCry infections have spread to more than 200,000 computers[1] in 150 countries.

What is the impact on businesses and consumers?

The WCry ransomware is used to encrypt users' data files, and the threat actors are demanding a payment of US$300 or US$600 ransom in Bitcoins to get the files released. The ransom note states that the victim has three days to submit payment and after three days the ransom will double. The threat actors also threaten that the files will be unrecoverable after seven days. To date, we are not aware of any victims receiving decryption keys for their files.

The initial economic impact appears to be far greater than the ransom payment. According to news reports, some of the business and consumer fallout thus far has ranged from a car manufacturer halting the production of their automobiles at multiple plants to the untimely re-routing of patients from British hospitals[2] (the hospitals' operations were reportedly disrupted because of the encryption of their files). In addition to lost revenue and productivity from downtime, experts are also speculating that businesses compromised by ransomware attacks may be more vulnerable to compliance risks and liability, according to a new story in the Wall Street Journal[3].

How is the WCry ransomware spreading?

The WCry ransomware campaign has two ways of spreading.

Security researchers have yet to determine how the SMB Worm, that installs the WCry ransomware, was delivered to patient-zero. However, what we do know is that the SMB worm aggressively attacks nearby computers on the local network and also scans the broader Internet for additional victim computers that will answer to SMB v1 requests. If a targeted computer answers, the worm will do the following:

1. Check for the presence of the DOUBLE PULSAR backdoor. If a DOUBLE PULSAR compromised computer is detected, the SMB worm is promptly uploaded and executed. The worm then installs and executes the WCry ransomware.
2. If the target does not have the DOUBLE PULSAR backdoor present, the SMB worm tries attacking the target with the ETERNAL BLUE exploit. This exploit leverages the CVE-2017-0144[4] vulnerability in the SMB v1 protocol. Once the system is compromised, the SMB worm is uploaded, and the worm installs and executes the WCry ransomware.

Both the ETERNAL BLUE exploit and the DOUBLE PULSAR backdoor were part of the leak of exploits[5] released by the Shadow Brokers threat group in April.

How to Protect Against the WCry Ransomware Attacks

Although there have been reports that many organizations and individual computer users, in all parts of the globe, have been hit by the WCry campaign, there are steps you can take to protect your IT environment before the WCry ransomware holds your files hostage, including:

• Apply the MS17-010[6] Microsoft Update from March 2017. This patch addresses the vulnerability leveraged by this worm, as well as other vulnerabilities in the Shadow Brokers'[7] April release. Microsoft also released these security updates[8] for systems running Windows XP and Windows Server 2003 legacy operating systems.
• Ensure that all your systems are protected by firewalls, configured to block any connection request for SMB from the greater Internet.
• Use network auditing tools (such as Nmap, Nessus, or Qualys) to scan your networks to locate all computers exploitable by the vulnerabilities described in MS17-010 and find any instances of the DOUBLE PULSAR backdoor.
• Disable SMB v1 on systems where it is not facilitating business-critical functions (e.g., hosts that do not need to communicate with Windows XP and Windows 2000 systems). For systems that do need to communicate with Windows XP and 2000 systems, carefully evaluate the need for allowing SMB v1-capable systems on interconnected networks, compared to the associated risks.
• Segment your networks to isolate computers and servers that cannot be patched, and block SMB v1 from traversing those network boundaries.
• Regularly back up data with offline backup media. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because many types of ransomware discover these file shares and drives.
• Although the recommendation to apply the patch for the SMB v1 vulnerability is the first security step mentioned in this blog, we cannot reiterate how important patch management is to helping protect one's critical systems from the WCry ransomware threat, as well as from other cyber threats. It is critical that as soon as patches become available you install updates for your computer systems' firmware and software, including operating systems, Internet browsers, and browser plugins. One ironic note, in SecureWorks' 2017 Ransomware Defense Survey, 42 percent of those surveyed said they expect to invest more in patching in 2017 due to ransomware threats. The WCry campaign should send the message home that investing in prompt and regular patching" is not a "nice to have" but a "must have."
• Implement an Advanced Malware Protection and Detection solution, which will inspect all email, file and web traffic, immediately sending any suspicious traffic, email attachments and links through an analytics engine looking for malicious code before delivering it to the end user.
• Implement an advanced endpoint agent solution to quickly detect, respond and mitigate attacks on each computer.
• Reevaluate permissions on shared network drives to prevent unprivileged users from modifying files.

What if the WCry Ransomware Has Encrypted My Critical Files?

If your organization has been hit by the WCry campaign and the hackers have encrypted some or all of your critical files, and you do not have backups of these files, what do you do?

In cases of ransomware or extortion, we advise not to pay the hackers, so as not to perpetuate the criminal practice of ransomware and extortion. However, ultimately it is up to your management to determine whether you can keep your organization running without having access to the hijacked files. In the case of the WCry ransomware, we are not aware of any victims receiving decryption keys for their files.

It's Not Time to Let Your Guard Down - Be Prepared for the Next Cyber Threat

While the WCry infections appear to have slowed, the WCry attackers, as well as copycat attackers, are a real threat, and our alert level remains high.

One reason is that this WCry campaign has revived the threat of Internet-scale worms. There are a number of recently publicized vulnerabilities that are wormable. Organizations need to be prepared to protect against these potential threats. From the Shadow Brokers' dumps, these include 'ESTEEM AUDIT,' an exploit for a Microsoft Windows Server 2003/Windows XP RDP vulnerability, and 'Exploding Can', an exploit taking advantage of a Microsoft Internet Information Services (IIS) 6.0 Buffer Overflow Vulnerability. In both cases, a patch is not currently available. Organizations should seriously consider upgrading to currently supported software if possible, or separating those vulnerable hosts to a separate network.

There are a number of other vulnerabilities which could be leveraged by Internet Worms, including some that have been discovered by Project Zero. This includes CVE-2017-0160[9] – a vulnerability in the .NET framework. A patch is available for this vulnerability, and enterprises should apply it where applicable.

One of the key takeaways from the WCry ransomware incident is that with any cyber threat, a good defensive program requires mapping your actions to the tactics of the threat. In this case, that process includes swift and specific countermeasures, as well as basic cybersecurity and IT hygiene. It is important to educate all relevant stakeholders, including those in the C-suite in order to achieve buy-in for preventative measures that may impact operations.

This post contains information but not specific advice about your company or its security situation.

---