Alert - Ransomware - WannaCry

Number: AL17-006
Date: 15 May 2017

Purpose

The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for a large scale ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. campaign.

Assessment

CCIRC is aware of a large scale ransomware campaign known as “WCry”, “Wana”, “WCrypt”, “wannacrypt”, “WanaDecryptor” or “WanaCry” that has affected numerous organizations worldwide.  CCIRC continues to work with domestic and international partners to assess the impact to Canada and to provide mitigation guidance and advice.

Ransomware can have an overwhelming on individuals, businesses, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. and government.  Not only can it lead to the loss of access to sensitive or proprietary information, but the disruption to regular operations, the financial loss and the potential harm to an organization’s reputation can be devastating.

The WannaCry ransomware campaign appears to be using the vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. addressed by Microsoft Security Bulletin MS17-010 to propagate through the network using the SMBv1 protocol. This enables the malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. to infect additional devices connected to the same network if they are unpatched.

CCIRC strongly discourages paying the ransom as it does not guarantee that your data will be decrypted. In addition, decrypting files does not mean the malware infection itself has been removed.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment. Furthermore, indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. , including a yara signature, and analysis are available from US-CERT (available in reference).

Advice specific to propagation via SMBv1:

• Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
• A new patch has been made available for some  Microsoft legacy platforms, and is available here:
  https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

• If it is not possible to apply the patches, consider disabling SMBv1 and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445].  Guidance available here: https://support.microsoft.com/en-us/help/2696547
• To prevent inbound Internet connections by infected hosts, block SMBv1 ports at your network perimeter.
• To prevent your own infected hosts from infecting other external networks, block outbound SMBv1 connections at your network perimeter.
• Execute daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically execute a practice data restoration from backups, including key databases to ensure integrity of existing backups and processes.
• NCSC UK has shared DNS based mitigation advice concerning WannaCry in a post titled “Ransomware: Latest NCSC Guidance”. (See link provided below)
• Ensure antivirus and gateway protections are up to date.

General advice to mitigate common email infection vectors:

• Scan all incoming and outgoing e-mails to detect threats and prevent executable files from reaching the end users.
• Don’t open links or attachments in emails from untrusted or unknown sources. Inspect the sender address carefully as the address text may differ from the real address.
• Most often, attacks of this type are detected by diligent and well-informed users. CCIRC recommends that organizations ensure users receive current situational awareness and training, including instructions on how to report unusual or suspicious emails to their IT Security Branch. Reviewing departmental policies, requirements and security education and awareness training can help reduce this threat.

References:

• CCIRC Advisory AV17-068 Microsoft Security Updates MS17-010 - (SMBv1)
  https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2017/av17-068-en.aspx
• CCIRC AV17-032 Microsoft Critical Security Bulletins Summary – March 2017
  https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2017/av17-032-en.aspx
• Ransomware: Latest NCSC Guidance
  https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance
• Latest statement on international ransomware cyber attack
  https://www.ncsc.gov.uk/news/latest-statement-international-ransomware-cyber-attack-0
• Alert (TA17-132A) Indicators Associated With WannaCry Ransomware
  https://www.us-cert.gov/ncas/alerts/TA17-132A
• Customer Guidance for WannaCrypt attacks
  https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
• Microsoft Security Bulletin MS17-010 - Critical
  https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• CCIRC IN13-004 Ransomware
  http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2013/in13-004-eng.aspx
• CCIRC TR11-001 Malware Infection Recovery Guide
• http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-001-eng.aspx