Published June 1, 2017
On May 15, 2017, UBIT was notified by the FBI’s Buffalo Office for the Private Sector of a vast ransomware campaign called WannaCry targeting organizations in as many as 99 different countries.
Frequently delivered through spearphishing emails, ransomware is a class of malware that targets the critical data and systems of businesses, individuals and government networks. The malware uses encryption to lock victims out of their own data or systems, then prompts victims to make a ransom payment to the hacker or hacker group responsible for the attack.
Since these hackers do not always provide decryption keys once paid ransom fees, victims often incur additional financial losses in restoring their systems and files. Apart from financial losses, ransomware attacks can sometimes result in a permanent loss of sensitive information and damage to an affected organization’s reputation.
The variant of ransomware used in these attacks, known by the names WannaCry, WCry, or Wanna Decryptor, was discovered on May 12, 2017. The hackers behind the WannaCry campaign are most likely accessing enterprise servers through a vulnerability in RDP (Remote Desktop Protocol) or Windows SMB, with phishing emails as a possible vector for infection.
WannaCry works by encrypting files on the victim’s system with 128-bit AES (Advanced Encryption Standard) and generating random keys for the encryption of each file. It attempts to spreads laterally by seeking unauthorized access to IPC$ shares and SMB resources on a victim’s network. Meanwhile, the WannaCry DLL is hidden from antivirus software scans by a cryptographic loading method.
To prevent WannaCry from accessing your system, apply Microsoft’s patch for the MS17-010 SMB vulnerability, released in a security update on March 14, 2017. Since phishing emails are a likely vector for infection by WannaCry, the FBI recommends enabling strong spam filters as well as technologies like Sender Policy Framework, DomainKeys Identified Mail, and Domain Message Authenticating Reporting and Conformance. All incoming and outgoing emails should be scanned to detect threats and filter executable files, and anti-virus systems should be set for regular, automatic scans.
It’s important to maintain up-to-date backups of all important or sensitive files and systems in a separate and secure location. Backups should not be permanently connected to, or accessible from, your main computers or networks. Any recovery plan you have should involve restoring clean copies of ransomed data from your secure backup.
Additionally, administrative access and share permissions should be designed with least privilege in mind, so that sensitive information is accessed only when necessary. It’s also a good idea to disable macro scripts from Microsoft Office files transmitted over e-mail, and to use Office Viewer software rather than full Office suite applications to open these files.
More generally, you should ensure that anti-virus software is always up-to-date, and enable automatic patch updates for your browsers and operating system. You and any members of your organization should scrutinize links in emails, and should never open attachments in unsolicited emails. Finally, make sure only to download software from sites you know well and trust.
“UB does some blocking to protect systems from this exploit, but it is still urgent to apply vendor patches as soon as possible,” said Jeff Murphy, UB Interim Information Security Officer.
If your UB-owned computers are attacked by WannaCry, contact the UB Information Security Office at firstname.lastname@example.org for assistance.