WannaCry – Ransomware explosion hits hundreds of companies around the world
By now, we’ve all heard of the events of Friday 12th May. One of the largest, highly-profiled ransomware attacks struck the NHS and other organisations, but few are probably aware of the scale of the assault. Targets were also attacked in Spain, Brazil, Russia, India, China and throughout EMEA – this attack hit hard throughout the world.
The initial attack is thought to have come from a highly targeted spear-phishing attempt, but due to the nature and proliferation of the attack it will be incredibly hard to ever pinpoint the actual source. Once a target machine is infected, it begins encrypting the contents of the target machine, and requests a payment in BitCoin format (starting at $300, rising to $600) to decrypt those files and re-allow access. For individual users, a small annoyance; for large, multinational organisations – a crippling, business halting risk.
The exploit itself has become extremely famous in both Security circles and national and international press due to the reported source of the vulnerability. Claimed to be released by ‘The Shadow Brokers’ along with tools apparently leaked from the Equation Group, who are believed to be part of the United States National Security Agency (NSA). The infection vector was commonly named ‘EternalBlue’ (among other names), which Microsoft has addressed as MS17-010 for a multitude of operating systems. If you are running an operating system that has fallen out of active support, e.g. Windows XP, then Microsoft has also released some Customer Guidance to help deal with this particular exploit.
An interesting discovery for this exploit is that Microsoft actually released patches for Windows 7, 10, and various server operating systems in March of 2017. However, as we all know, patches may not always be applied quickly in the business world, which is why this exploit has spread so far so quickly.
So, enough about how it happened, you want to know how to fix it…
The first and most important thing you can do is apply the patches mentioned above. There are a handful of CVE’s that you need to be aware of:
The CVE’s listed above are all covered by Tenable in the form of plugin updates. These were released March 14th of this year, and have been modified as new information has been made available (last modification date at time of writing was May 8th). For more information on the plugins themselves, see Plugin #97737 & Plugin #97833. Both plugins will help you scan for and discover the vulnerabilities. The first is a credentialed check and will tell you if you’re yet to apply the patches. The second is a remote check that will tell you if you might still have SMBv1 enabled (it’s enabled by default in most modern operating systems!), which was one of the vectors to distribute this attack. Both are currently listed as CVSS Score of 10.0, and should be treated as a very large risk to any organisation. Please see our other blog posted recently, ‘10 Steps to an Effective Ransomware Protection Strategy’, for more information on ransomware and the protection thereof.
Also worthy of a read is:
Microsoft declaring how unsafe SMBv1 is: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
Microsoft detailing how to disable SMBv1 but leave SMBv2 and v3 enabled (which are still widely used and updated): https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disab...