As the first news hit the airwaves of the latest wide scale ransomware threat to hit the internet, the Trilogy Security Incident Response team has been monitoring the outbreak of “WannaCrypt/ WannaCry/WCry” malware. Global in scope, this latest cybersecurity threat has been reported to affect organisations in the United States, United Kingdom, Taiwan, Russia, Turkey, Kazakhstan, Indonesia, Vietnam, Japan, Spain, Germany, Ukraine and the Philippines.
How does it work?
The malware in question is a new variant of WannaCry, a form of “ransomware” that encrypts files on Windows desktops, laptops, and servers.
How is “WannaCry” different?
Similar to ransomware seen before, WannaCry is also a worm. It is spread using a known windows SMBv1 vulnerability MS17-010 which can be traced back to a leaked NSA set of exploits that was made available earlier this year.
Once a system is infected the ransomware worm element starts polling the local network on ports 139 and 445 in an effort to propagate and infect other systems. It will try to spread itself as far and wide as possible.
This malware affects all Microsoft Windows Operating Systems and can spread to unpatched Microsoft Windows systems using SMB File Sharing.
It is being delivered via a phishing campaign where the email contains a word attachment with an encrypted archive. However new variants may behave differently.
Trilogy mitigation strategies and recommendations
The malware will come via email or web. We would advise all users to be hyper vigilant when opening emails and browsing the internet and follow best practices:
- Do not open email from unknown or untrusted senders
- Do not open untrusted attachments or click on untrusted links in emails
- Do not browse websites outside of business needs
- Do not browse websites with an untrusted certificate
- Notify all users in your organisation regarding this threat with a strong reminder NOT to click links or open files in emails from suspicious or unknown sources
Any Microsoft updates that haven’t been applied to servers and desktops should be applied as soon as possible to prevent the ability of the malware spreading. The Microsoft patch is MS17-010 and affects every operating system. Application of this patch should prevent spreading should one of your machines become infected.
Your IT team or Managed IT Service provider should have received the update and have patched your servers for protection from the malware.
Make sure that your anti-virus is up to date on all servers and endpoints.
Review current backup policies and procedures and be prepared to perform a restore in case of infection – it is never a good idea to pay the ransom in a ransomware attack if at all avoidable.
We constantly iterate the message to our customers BACKUP, BACKUP, BACKUP!