WannaCry Ransomware Exploits Windows SMB Vulnerability, Microsoft Issues Fix to Protect Outdated Systems
A fast-moving wave of ransomware attacks is hitting hard across the world, exploiting a recently patched vulnerability that was exposed in documents leaked from the NSA by the mysterious Shadow Broker group.
Dubbed WannaCry, the ransomware is exploiting a critical vulnerability in Microsoft’s Server Message Block (SMB) which was patched by Microsoft (MS17-010) for supported versions of Windows last month.
Also known as WCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r, the ransomware strain has reportedly hit more than 100 countries in less than 24 hours.
While up to date and fully-patched Windows installations are not at risk, Microsoft took the highly unusual step of providing a security update for those using Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.
“We also know that some of our customers are running versions of Windows that no longer receive mainstream support,” Microsoft said. “That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.”
The malware outbreak began, Friday and is being described as the biggest-ever ransomware attack, hitting hospitals in Britain as well as the Spanish telecom giant Telefonica and was also spreading in other countries, including Russian banks, FedEx and European car makers.
According to security firm F-Secure, WannaCry is the biggest ransomware outbreak in history, saying that 130,000 systems in more than 100 countries had been affected as of Saturday.
A spokesman for Barts Health NHS Trust in London told AFP that it was experiencing “major IT disruption” and delays at all four of its hospitals, and that ambulances were being diverted to nearby hospitals.
“Unlike most other attacks, this malware is spreading primarily by direct infection from machine to machine on local networks, rather than purely by email,” Lance Cottrell, chief scientist at Ntrepid, told SecurityWeek.
On Saturday, a security researcher who blogs for MalwareTech and researchers from Proofpoint discovered a “kill switch” that could prevent the spread of the ransomware.
“The ‘kill switch’ was hardcoded into the malware in case the creator wanted to stop it spreading,” MalwareTech explained. “This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.”
“This event should serve as a global wakeup call – the means of delivery and the delivered effect is unprecedented,” Rich Barger, Director of Cyber Research at Splunk, told SecurityWeek. “While Spain and Russia look to be hit the hardest, other countries including Italy, Portugal, Ukraine and Pakistan look to be affected as well. This is one of the largest global ransomware attacks the cyber community has ever seen.”
“Initial reports that this malware is propagating on its own – for those who remember the early 2000s, this is a worm – malware that infects a machine and then looks for other vulnerable hosts on the same network or randomly scans and looks for other vulnerable hosts to infect,” Barger added.
Splunk’s Barger suggested disabling or blocking the SMB v1 service to protect against the attacks, and said firms should consider monitoring for and or mitigating scan behavior on TCP/445, externally and internally.
The U.S. Department of Homeland Security also provided Indicators of Compromise (IOC) that can be accessed here in a Microsoft Excel spreadhseet.
“With the WannaCry/WanaCrypt ransomware in the wild, crossing into industrial control systems would be particularly devastating,” commented Owen Connolly, VP of Services at IOActive. “Systems requiring real-time interfacing and control influence over physical assets could face safety/critical shutdown, or worse. When thinking about critical services to modern society (power, water, wastewater, etc.), there is a real potential, potentially for the first time ever, where critical services could be suspended due to ransomware. It may be time to rethink critical infrastructure cybersecurity engineering, because if MS17-010 exploiting malware variants are successful, we are clearly doing something wrong.”