Early on Friday, May 12, reports began circulating about WannaCry ransomware outbreaks in the United Kingdom affecting numerous sites at the National Health Service (NHS). Soon after, it became apparent that the impact was global, affecting a large number of victims across Europe, Middle East and Asia with victims identified in over 150 separate countries.
Protection and detection are critical in stopping modern intrusions. Fidelis Network and Endpoint products include coverage for all elements of this campaign.
- This is the first true internet-scale worm -- one that can self-propagate over networks - observed since Conficker in 2009.
- In 2017, "All Roads Lead to Ransomware" -- so it was almost inevitable that the malware installed was a ransomware variant.
- This campaign has been particularly impactful relative to prior ransomware events since enterprises affected are wide and varied – healthcare, manufacturing, banking, shipping etc. - and truly global in nature.
- It should be noted that Wannacrypt has not been observed prior to this campaign.
- Wannacrypt was delivered with a 'kill-switch', a domain that the malware would check with prior to encrypting the system. This was likely an anti-sandboxing measure that researchers then leveraged to successively disable some strains of the infection.
- Subsequent malware has emerged with other 'kill-switch' domains that have been similarly disabled.
- As of noon ET on Monday May 15, our reporting is that many new variants have been observed without such mechanisms present.
- In our observation, the ETERNALBLUE exploit for MS17-010 is the more potent element in this campaign. We expect to see successive waves of malware, possibly all ransomware, that leverage this exploit to Worm across the internet.
- To this end, it should be noted that Conficker is still active today, despite the vulnerability having been fixed in 2008.
- While initial reporting suggested that phishing emails were the basis for the original intrusion, this appears unlikely right now. We agree that organizations with open SMB ports to the internet are likely the ones affected right now.
- Today (Monday, May 15) we have seen researchers note that there have been no instances where victim systems have been successfully decrypted, even when the ransom has been paid. In this respect, this is more like a global wiper event (albeit selective in terms of chosen files), similar to Shamoon.
- There is considerable mobilization of law enforcement organizations worldwide to pursue those responsible for these events. Many in the private sector, including Fidelis Cybersecurity, are providing assistance as needed.
- The exploits are strictly for SMBv1, which Microsoft recommended be disabled.