Global ransomware outbreak: live update page

• Print

Details

Last Updated: Friday, 19 May 2017 08:30

Published: Monday, 15 May 2017 07:57

Europol has stated that more than 200,000 computers in 150 countries have been affected by the WannaCrypt / WannaCry ransomware outbreak, which was first reported on Friday 12th May. This page will be updated with information about the attacks and advice for organizations.

Update: 9.00am, 19th May 2017

Three core principles to develop an appropriate resistance against ransomware

According to Ixia, there are three core principles that organizations need to be aware of, if they are to develop an appropriate resistance against ransomware:

1. Discover the origin: the ransomware infection chain invariably starts with a targeted phishing email, with an attached document. The document will contain a macro, small enough to appear innocuous even to sandboxing technologies. When the document is opened, the macro activates and connects to the attacker’s remote server on the Internet, and starts downloading the ransomware payload onto the machine. The macro also rewrites the payload as it downloads, so the content appears harmless until it actually enters the host machine. 

2. Understanding its behavior: focusing ransomware protection on the content being sent to the organization is a losing battle. Email-based macros are unlikely to be picked up, even by advanced virtualized sandboxing, because they do not exhibit malicious-looking behavior when examined. The payload will not appear malicious until it is actually on the machine and starts encrypting, so organizations should look at the vital clues of where the infection is coming from, rather than just at what it is.

3. Blocking the infection: The payloads in the final stage of ransomware infection are delivered from known, malicious IP addresses on the Internet. As IP addresses are relatively scarce, the same ‘bad’ ones tend to be continually re-used. Even brand-new malware variants can be linked to a small number of compromised IP addresses. This means that if a machine in an organization’s network attempts to download content from a known malicious IP address, they are usually in the initial stages of a ransomware attack, and there’s no need to examine the macro that is attempting the download, or the content being downloaded. The simplest, most cost effective way to avoid attacks is to automatically block all corporate connections to known malicious IP addresses using a continuously-updated threat intelligence feed. This lets it nullify all new attacks, as well as existing, dormant infections.

Update: 8.30am, 19th May 2017

Lessons from WannaCry

Cyber security company eSentire has compiled a list of its post-WannaCry predictions:

• Patch hygiene will improve – eSentire is hopeful that organizations will significantly alter their continuous patch hygiene. Microsoft has even released new emergency patches for Windows XP and 2003, which speaks to the seriousness of the event and the risk of deploying out-of-date operating systems in production environments.  
• More Shadow Brokers disclosures - We haven’t heard the last of the Shadow Brokers. The hacking group claims to have more tools and information stolen from the US Intelligence community. As they expose new ‘cyber weapons’ adopted by opportunistic threat actors, suddenly everyone is at risk.  
• More variants of WannaCry - theWannaCry story will inspire a new set of attacks. They won’t all necessarily be ransomware, but it remains to be the most hyper-productive model for cybercriminals in terms of monetizing attacks.
• Worms exploiting broad vulnerability + hostile payload: IoT - knowing how quickly worm-based attacks can do massive damage, there is potential for physical damage to infrastructure as we move to IoT. This becomes something that we need to decide on about how we’re going to manage risk. The lack of focus or preparedness for IoT cybersecurity puts everyone at increased risk.
• Fragility of the infrastructure and limited human involvement - with infrastructure that is globally connected and the challenge of patch management, fast-spreading threats can cause massive damage. Especially to embedded systems where there is not ongoing support for vulnerabilities. Plus, future attacks will involve less and less human intervention.

Updates: 9.45am, 17th May 2017

EY recommends six immediate steps for organizations to protect themselves and reduce impact of ransomware attacks

EY says that there are six actions that organizations can take now to help protect their systems from ransomware:

1. Disconnect infected machines from the network and take all backups offline because they also could become encrypted if left connected to the network.
2. Activate your incident response plan and don't treat the investigation as merely an IT issue or exercise. Ensure there is cross-functional representation in the investigation team, including legal, compliance, information security, business, public relations, human resources and other departments.
3. Identify and address vulnerabilities in your connected ecosystem; sufficiently install security updates, malware detection and anti-virus detection to complicate attackers' efforts to get back in; enhance detection and response capabilities for future attacks; and prepare for eradication events.
4. Ensure your systems are patched before powering up PCs. Keep systems up to date with a robust enterprise-level patch and vulnerability management program. This should include a formal, repeatable life cycle to manage vulnerabilities based on risks as they evolve, and a comprehensive asset model that focuses on the exposure of assets to these risks, including any connectivity to other assets.
5. Activate business continuity plans. Prepare data based on varying requirements for regulatory reporting, insurance claim and dispute, litigation, threat intelligence and/or customer notification.
6. Collect and preserve evidence in a forensically sound manner so that it is conducive to investigation, and reliable and usable in civil or regulatory matters.

Kaspersky Lab on possible connections between WannaCry and Lazarus Group

On Monday, May 15th, a security researcher from Google posted an artifact on Twitter potentially pointing at a connection between the WannaCry ransomware attacks that recently hit thousands of organizations and private users around the world, and the malware attributed to the infamous Lazarus hacking group, responsible for a series of devastating attacks against government organizations, media and financial institutions. The largest operations linked to the Lazarus group include: the attacks against Sony Pictures in 2014, the Central Bank of Bangladesh cyber heist in 2016 and a subsequent series of similar attacks continued in 2017.

The Google researcher pointed at a WannaCry malware sample which appeared in the wild in February 2017, two months before the recent wave of attacks. Kaspersky Lab' GReAT researchers analyzed this information, identified and confirmed clear code similarities between the malware sample highlighted by the Google researcher and the malware samples used by the Lazarus group in 2015 attacks.

According to Kaspersky Lab researchers, the similarity of course could be a false flag operation. However, the analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday. This can be an attempt to cover traces conducted by orchestrators of the WannaCry campaign.

Although this similarity alone doesn't allow proof of a strong connection between the WannaCry ransomware and the Lazarus Group, it can potentially lead to new ones which would shed light on the WannaCry origin which to the moment remains a mystery.

Updates: 9.00am, 16th May 2017

Airmic: risk managers can take a lead in ransomware incidents

Airmic is suggesting that risk managers are “well positioned to take a lead in the co-ordination of a response to a cyber incident across their organisation.”  

“While there may not be a completely satisfactory response to a crisis situation, a crisis handled poorly can exacerbate the costs of an event, particularly given that the financial and reputational harm caused by failures is now amplified by social media in a ‘sound-bite world’. As risk managers, you should be asking: are your cyber incident crisis plans up to date, and do people know where plans are and what their roles might be?” says Airmic.   

WannaCry ransomware: first ever case of cyber cooperation at EU level

ENISA has reported that it and several European Member States have been working together to assess the situation caused by the WannaCry Ransomware at European level.

Udo Helmbrecht, Executive Director of ENISA, said “as the European Cybersecurity Agency, we are closely monitoring the situation and working around the clock with our stakeholders to ensure the security of European citizens and businesses, and the stability of the Digital Single Market. We are reporting on the evolution of the attacks to the European Commission and liaising with our partners in the European Union CSIRT Network”.

A dedicated taskforce has been set up at ENISA to support what is the first ever case of cyber cooperation at EU level in that the EU Standard Operating Procedures, developed by ENISA and the Member States, are currently being used to this end.

Gartner: Three immediate actions to take

Jonathan Care, research director at Gartner, has outlined steps that cybersecurity professionals must take immediately:

First and foremost, apply Microsoft's MS17-010 patch. If you don't have it, and you have TCP port 445 open, your system will be hit by ransomware.

Then take the following steps to guard your organization against future attacks of this nature:

1. Stop blaming.  While it’s tempting to point the finger at others, one of the key stages of incident response involves focusing on root causes. Microsoft Windows XP, an OS that has been hit hard by WannaCry, can be embedded into key systems as part of control packages. This means that vulnerable firmware may be neither accessible nor under your control. Where you have embedded systems — such as point-of-sale terminals, medical imaging equipment, telecom systems, and even industrial output systems such as smart card personalization and document production equipment — ensure your vendor can provide an upgrade path as a priority. Do this even if you use other embedded OSs, such as Linux or other Unix variants, as it's safe to assume that all complex software is vulnerable to malware.

2. Isolate vulnerable systems. There will be systems that, although not yet affected by malware, are still vulnerable. It’s important to realize that vulnerable systems are often those on which we rely most. A useful temporary fix is to limit network connectivity — identify which services you can turn off, especially vulnerable services like network file sharing.

3. Stay vigilant. Gartner’s adaptive security architecture emphasizes the need for detection. Ensure your malware detection is updated. Check that your intrusion detection systems are operating and examining traffic. Ensure that user and entity behavior analytics (UEBA), network traffic analysis (NTA) and security information and event management (SIEM) systems are flagging unusual behavior, that such issues are being triaged, and that incident handlers are responsive. Bear in mind that additional resources may be required to handle the volume of incidents, liaise with law enforcement agencies, and field questions from the public (and possibly the media). Keep technical staff focused on resolving key issues and let someone else answer external questions.

After the crisis, there will be time to learn lessons. At that point, organizations should review vulnerability management plans; re-examine approaches to not just protective measures but also key detection capabilities, such as UEBA, NTA and advanced SIEM; perform additional threat modeling; and consider carefully what risks you can afford to tolerate and assess your cloud security. You may also want to assess your cloud security.

Update: 14.45pm BST, 15th May

WannaCry FAQs

Kaspersky Lab has supplied Continuity Central with a set of FAQS about the WannaCry ransonware. Click here to read it.

Update: 14.15pm BST, 15th May

The lull before the storm?

Comment by Vijay Michalik, Industry Analyst, Digital Transformation, Frost & Sullivan:

"This large scale ransomware infection is a clear sign of the escalating challenges facing cybersecurity.

“While the attack was stopped in its tracks as a kill-switch was found and activated by a cybersecurity researcher known as MalwareTech, it is highly likely that a new strain will appear without this flaw. The kill-switch doesn't decrypt the files that are already compromised, and it doesn't appear that the encryption has its own exploitable flaw.

Updates: 10.30am BST, 15th May

Call made for cyber police force

Cyber security researcher Professor Mark Skilton, of Warwick Business School has made the following comment, calling for a 'cyber police force':

"This attack has shown there needs to be a cyber police force at a global level to help manage these escalating threats with the right level of specialist skills, and not just vendors sorting it out for themselves. My research has found a need for a global legal system to govern the Internet as its activity is unseen and spreads across geographic and commercial jurisdictions. While we all carry the liability, we have little protection to tackle what is now open full scale war with the criminals. 

"Microsoft is right to call for a 'Digital Geneva convention of rights'; the risk and impact of cyber weapons can do the same or more harm than physical weapons. It can indirectly kill patients, change traffic controls, alter car onboard steering systems, change election outcomes and more. Governing the digital world is much harder as the identity of people and things is obfuscated, partly due to the paradox of the need for privacy, but also from the nature of digital data that is re-coded, redactable and transmutable.  The current threats mean that general users and companies can not protect themselves. Just doing perimeter security does not work as this ransomware has shown. Plus, it can get through networks as a 'worm' technology."

US-CERT issues alert

US-CERT has released an alert providing information about the global ransomware outbreak, its impacts and the actions that organizations can take. The overview reads as follows:

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.

The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.

Read the alert.

Updates: 9.00am BST, 15th May

Rob Wainwright, a director of Europol, is reported by the BBC as stating:
“We've never seen something on this scale and that's because the ransomware itself has been combined with a worm application that allows the infection from one computer to quickly spread across other networks. That's why we're seeing these numbers increasing all the time and right across different sectors, right across the world. The numbers are still going up."
The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack

Brad Smith, President and Chief Legal Officer for Microsoft, provided the following information in a blog post :

• Starting first in the United Kingdom and Spain, the malicious ‘WannaCrypt’ software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin. The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.
• This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.
• This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
• The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Read the full blog.

Statement and advice from the UK National Cyber Security Centre:

“Since the global coordinated ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday, there have been no sustained new attacks of that kind.  But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.

“This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.

“Our national focus must therefore be on two lines of defence.

“The first is to limit the spread and impact of the attacks that have already occurred.  Due to broad government and partner efforts, a variety of tools are now publicly available to help organisations to do this. This guidance can be found on our homepage – ncsc.gov.uk – under the title 'Protecting Your Organisation From Ransomware'.

“We know already that there have been attempts to attack organisations beyond the National Health Service. It is therefore absolutely imperative that any organisation that believes they may be affected, follows and implements this guidance.

“We have set out two pieces of guidance: one for organisations and one for private individuals and SMEs which can be applicable regardless of the age of the software in question. It will be updated as and when further mitigations become available and we will announce when updates have been made on Twitter (@ncsc) and elsewhere.
Secondly, it is possible that a ransomware attack of this type and on this scale could recur, though we have no specific evidence that this is the case.  What is certain is that ransomware attacks are some of the most immediately damaging forms of cyber attack that affects home users, enterprises and governments equally.

“It is also the case that there are a number of easy-to-implement defences against ransomware which very considerably reduce the risk of attack and the impact of successful attacks.  These simple steps to protect against ransomware could be applied more thoroughly by the public and organisations

“Companies can undertake three simple steps which are also set out on our website and can be summarised as follows:

• Keep your organisation's security software patches up to date
• Use proper antivirus software services
• Most importantly for ransomware, back up the data that matters to you, because you can't be held to ransom for data you hold somewhere else.

Find the guidance here.

"Home users and small businesses can take the following steps to protect themselves: 

• Run Windows Update
• Make sure your antivirus product is up to date and run a scan – if you don’t have one install one of the free trial versions from a reputable vendor
• If you have not done so before, this is a good time to think about backing important data up – you can’t be held to ransom if you’ve got the data somewhere else.

Find the guidance here.

"In the days ahead, the NCSC, working closely with the National Crime Agency in support of their criminal investigation, and with international partners in both other governments and the commercial sector, will continue our round-the-clock effort to get ahead of this threat.  We would like to reassure the public that resources from the Government, law enforcement and public and private sector organisation are working together to manage further disruption from the current attack and to increase protection against any further attacks in the coming days. The country's security and law enforcement agencies are working round the clock to protect the public. Private sector efforts have made a very significant contribution to mitigate the cyber attacks so far and to  prevent further disruption."