Massive ransomware infection spreading across the globe. It exploits the EternalBlue exploit from the Shadowbrokers dump released last month.
File Name : tasksche.exe
SHA : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Please apply this patch immediately to all endpoints. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
This malware is using Social Engineering to target companies. The emails trick users into clicking files and attachments that use a vulnerability which was addressed by MS17-010 in March 2017 to spread, so please check that all your machines have the latest updates installed.
The IT systems of around 40 NHS organizations across the UK have been affected by a ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the attack.
Non-health focused organizations around the world are also being affected, including Spanish telecommunications firm Telefonica which reported a serious issue affecting its internal network as a result of a cyberattack earlier today. The strain is called “Wanna Decrypt0r” which asks $300 from victims to decrypt their computers.
Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. According to Avast security researcher Jakub Kroustek, Wana Decrypt0r made over 57,000 victims in just a few hours.
The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.”
Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”. The ransomware appears to use NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits which were made public earlier this year by a group calling itself the Shadow Brokers.
Looks like initial infection vector is a phishing/macro email.
According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates the WannaCry infection.
But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” he told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”
Given the malware is scanning the entire internet for vulnerable machines, and as many as 150,000 were deemed open to the Windows vulnerability as of earlier this month, WannaCry ransomware explosion is only expected to get worse over the weekend.
MITIGATION STRATEGIES AND RECOMMENDATIONS:
This section is used to discuss how the threat can be prevented, contained, and removed. This section can vary depending on the nature of the threat.
Threat Specific Mitigating Guidelines
- SMB should be disabled if not required for business use.
- MS17-010 use has been confirmed and that vulnerability should be patched immediately.
- All SMB-related patches should be applied to servers as soon as practical.
- Any Microsoft updates that haven’t been applied to servers should be applied as soon as possible.
- A notice to all users should be sent regarding this attack and a reminder about clicking links or opening files in emails from suspicious or unknown sources should be sent.
- Review current backup policies and procedures and be prepared to perform a restore in case of infection – it is never a good idea to pay the ransom in a ransomware attack if at all avoidable.
- Verify as well that no users have Administrative and especially not Domain privileges have been infected and if so please reset the passwords two times.
- The priority is that your anti-virus can detect the malware. Verify that you have up-to-date signatures.
- Make sure that users have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Where an attachment opening offers the execution of an application, users must under no circumstances accept execution and in doubt, users should you consult and/or consult the competent computer.
Recommended Best Practices
Below are recommended IT security best practices. These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.
- Disable default user accounts
- Educate users to void following links to untrusted sites.
- Always execute browsing software with least privileges possible
- Turn on Data Execution Prevention (DEP) for systems that support it
- Maintain a regular patch and update cycle for OS and installed software
- For additional details please reference: http://technet.microsoft.com/en-us/library/dd277328.aspx
The media has released these stories:-
Following IP Addresses, hashes and websites must be blocked by network admins: