NJCCIC Threat Alert | TLP:WHITE
Widespread Ransomware Campaign Rapidly Spreading Across Numerous Countries
UPDATE: May 18, 2017
Since last Friday, the NJCCIC has closely monitored the outbreak of the WannaCry ransomware variant, also reported as Wana Decrypt0r or WCry. Over the weekend, we observed reports from around the world indicating this ransomware variant was impacting dozens of countries and hundreds of thousands of devices. However, the extent of the impact on New Jersey and the United States remains unclear. As of today, the NJCCIC is only aware of one confirmed infection in New Jersey and we have not independently verified any other US victims, or the total number of countries impacted. According to a Forbes article, there were at least two incidents at US healthcare organizations and an unknown number of incidents impacting small utilities and manufacturing sites, though impacts were limited. According to Reuters, fewer than 10 organizations have reported WannaCry infections to the Department of Homeland Security. If affected by ransomware, whether WannaCry or any other variant, we urge our members and any organization or resident of New Jersey to report it to the NJCCIC, understanding we will never disclose the identity of a victim or details of an incident without explicit consent.
It is important to underscore the fact that the WannaCry campaign that began on Friday exploited vulnerabilities in Windows Server Message Block (SMB) version 1 (SMBv1), for which Microsoft released a patch on March 14, 2017. Organizations that had since installed the patch (MS17-010) or had implemented the mitigation recommendation to disable SMBv1 on networked systems or block TCP port 445 were not at risk of infection. On Saturday, Microsoft issued an emergency out-of-band patch to address the vulnerability in end-of-life systems—Windows XP, Windows 8, and Windows Server 2003—that were not covered by the March 14 update. Organizations running end-of-life systems are strongly urged to update to an operating system that is supported by Microsoft. For comprehensive ransomware mitigation recommendations, and more information on the WannaCry variant, visit the NJCCIC's Ransomware Threat Profile.
Lastly, the NJCCIC is not in a position to assess the attribution or primary motive of the attack at this time. Throughout the week, numerous cybersecurity firms including Symantec and BAE Systems presented initial findings indicating the source code of WannaCry shares characteristics consistent with a North Korean hacking group known as the Lazarous group, widely reported to have links to the government. Despite these observations, more information is necessary to make a confident assessment on who may have been responsible, such as the infrastructure used to launch the malware, the initial victim targeted, Bitcoin transaction activity, and other conclusive findings from security researchers, law enforcement, or intelligence agencies.
UPDATE: May 13, 2017
For more information and live updates on the latest version of this ransomware variant and its campaign, please review the threat profile here.
According to numerous open-source reports, a widespread ransomware campaign is impacting organizations in as many as 16 countries, with reports of numerous National Health Service (NHS) hospitals in the United Kingdom (UK) and multiple banks and telecommunication providers in Spain among the victims. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered this morning by an independent security researcher and has spread rapidly over the course of several hours, with initial reports beginning around 4:00 AM EDT. Telefonica, one of Spain’s largest telecommunications providers, was one of the first to report an infection and instructed all employees to shut down their computers and VPN connections to limit the spread and impact of the infection. Spanish newspaper El Pais reports that Santander bank may also have been affected. According to the BBC, up to 25 NHS organizations in the UK have also been infected with this variant, in some cases resulting in emergency patients being diverted to other locations. Patient medical details and appointment schedules, as well as internal VoIP phone lines and email accounts have been rendered inaccessible to staff. Initial reports indicate that the hacker or hacking group behind this campaign are gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability for which Microsoft released a patch on March 14, 2017.
The NJCCIC recommends organizations close ports 22, 23, 3389, TCP 139 & 445/UDP 137 & 138, and to ensure the aforementioned SMB patch (MS17-010) was applied. Additionally, we recommend all organizations implement a robust data backup process that safeguards any data considered valuable or critical to the organization. Data backups must be stored offline—disconnected from the network—and tested regularly to confirm their integrity. For a comprehensive list of ransomware mitigation strategies, visit the NJCCIC's Ransomware Threat Profile. Organizations should also use this as an opportunity to advise employees of the increase in cyber threats and provide awareness training on social engineering tactics, safe-browsing techniques, and how to respond to suspected cyber incidents.
For more information, please review our recent threat analysis products on the topic of ransomware:
- Ransomware: Poised to Cause More Disturbance, Losses in 2017 (March 9, 2017)
- CrySiS: Ransomware Variant Impacting New Jersey Organizations (March 9, 2017)
- Ransomware: An Enduring Risk to Organizations and Individuals (February 12, 2016)
- Extortion: Profit-Motivated Cyber Tactics On The Rise (November 25, 2015)
The information contained in this threat alert is TLP: WHITE. This means, subject to standard copyright rules, it may be distributed without restriction.