A major ransomware attack hit the UK’s National Health Service, Spain’s Telefonica mobile telephone network, and various smaller companies across 74 countries on May 12, 2017. One of the largest global cyberattacks to date, it relied upon a modified version of a known ransomware kit (Wanna Decrypt0r, also known as WannaCry or WCRY), and at its peak, spread at an estimated rate of 5 million infected emails per hour.
As of this writing (May 13, 2017), the attack has been neutralized for some systems, by way of a DNS sinkhole. The initial malware contained code that caused the attack to terminate if a specific website was online (likely part of the development process for the file), and the destination has now been sinkholed and redirected to a site that causes the infection to shut down instead of spreading. However, systems running behind a proxy are still susceptible to attack.
Creating a local DNS entry that redirects www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (the check URL used by the worm that spreads the malware) to a local IP is a critical step, should the sinkhole fail.
Interestingly, the malware used was described in NSA documents that were stolen and leaked in April of 2017, by a group known as the Shadow Brokers.
Infected Windows machines around the world were being used to propagate the attack. The initial infection vector was via a Word file, which deployed the WCRY malware; once opened, the ransomware encrypts a Windows machine’s files, and then uses a remote vulnerability through Windows’ network file share protocol (SMB) to distribute itself to other Windows machines on the same network.
What was critically different here was that due to the nature of the exploit, if even one machine were infected, it would automatically spread to all other vulnerable machines on the same network. This self-propagation is why the attack was so widespread, and while the Windows exploit which this attack uses was patched on March 14, 2017 (full details are here), many networks and companies had not yet patched their systems to prevent exploit.
Once infected, these machines’ desktop wallpaper was changed, and the malware would then display a message requiring BitCoin payment within a certain timeframe or else the encrypted data would supposedly be deleted:
Along with the warning message above, users were also presented with a readme file, explaining what they need to do in order to regain access to their files (namely, transfer $300 USD via BitCoin to the attackers):
The encryption routine in the malware targets the following file types, and adding an extension (.WCRY) to the end of each file’s name:
Why This Attack Was So Dangerous:
The most significant threat here was from unpatched machines with a recent vulnerability. While a patch existed at the time of infection, it was not universally deployed. Coupled with the auto-propagating nature of the attack, a large number of machines were compromised rapidly.
The primary attack vector for this attack is believed to have been a non-targeted phishing campaign. Increasingly, phishing scams combine malware distribution with advanced deception tactics, designed to trick users with a variety of social engineering techniques, including:
- Display Name Spoofs, which use a valid email address (such as a newly registered account with Gmail, Yahoo, Outlook, or similar service) in combination with the Display Name, or “friendly” first and last name that most email clients display, to deceive a user into believing that they have received a message from a known contact.
- Lookalike / Cousin Domain Attacks, where the attacker combines fully registered and validated domains that are visually similar to a company’s own domain with the actual attack payload, in this case, the malware.
Again, manually reviewing all of the mail headers can be helpful here, although training users to do so with every single email they receive can be difficult at best. Automated analytics can identify look-alike domains and automatically alert users to fraud attempts.
Mitigation and Response
- Implement infection prevention within email systems, focused on identifying infected files (especially Word documents) and unusual senders, spoofs, and impersonation attempts. Rapidly changing malware can often circumvent legacy email gateway defenses, especially if the attack does not directly attach the infected file within the email itself, but instead delivers it via URL or link. Post-delivery protection is essential for both detection and response while endpoint and anti-malware tools catch up, and being able to rapidly identify and remove infected messages even if they get past the perimeter is critical to protecting against threats.
- Patch all potentially vulnerable machines for MS17-010 (“ETERNALBLUE” and “DOUBLEPULSAR”).
- Remove outdated Windows NT, Windows 2000, Windows XP, and Windows Server 2000-2003 machines from production.
- Disable SMB shares (especially on machines that cannot be removed) with the following command:
Set-ItemProperty -Path “HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters” SMB1 -Type DWORD -Value 0 -Force.
- Filter SMB (TCP/445), NetBIOS (TCP/139), and RDP (TCP/3389) traffic at the firewall level, ensuring that infected machines cannot spread the malware if present within your network.
What To Expect Next
This is the second time a major attack has propagated over email within the past two weeks, and it’s highly likely that the criminals behind these attacks are in the process of improving the sophistication of both their primary attack tools (the malware and ransomware they use) as well as their techniques and tactics.
More generally, this attack demonstrates the importance of not relying on security awareness training alone; as the scope and efficacy of this incident reveal, training (traditionally a compliance effort) cannot adequately modify the behavior of every user at every company in the world — and given the rapid spread of an attack that spreads in the way that WCRY does, it only takes a single compromised account to bring down millions of machines and organizations in minutes.