Friday, 12 May 2017

WannaCry Global Cyber Attack Killing the NHS Explained & Help

A large-scale cyber-attack has impacted organisations around the world today, including badly affecting NHS services, with at least 25 NGS organisations hit by a mass ransomware outbreak. The ransomware responsible is known as WanaCrypt0r 2.0, WannaCry or WCry2, once it infects a system not only does it encrypt data on the host system, but it attempts to infect other computers over the local network. 

This aggressive malware uses an exploit method named EternalBlue, details of which was posted online by the Shadow Brokers dump of NSA hacking tools on April 14th, 2017. WannaCry exploits this Windows vulnerability (CVE-2017-0145) to enable it to spread quickly over the network (i.e. Worm malware), the vulnerability was security patched by Microsoft on 14th March 2017. More specifically, the vulnerability lies within the SMB protocol, which is used for network file sharing, which the WannaCry malware exploits to replicate itself to other vulnerable Windows devices also attached to the same network.

WCry2 Ransomware Demand

To avoid the WannaCry ransomware infection within a network environment, make sure Microsoft Critical Security Update MS17-010 is applied to all Microsoft Windows. The update was released by Microsoft on 14th March 2017, so if you have operated a good patch management process or allow Microsoft to automatically update your system and run anti-virus and kept AV definitions up-to-date, then you should be well protected from WannaCry mass outbreak. Failing the ability to patch your system, you can look into disabling the SMB service to prevent the malware from spreading.

The MS17-010 stops the WannaCry ransomware from spreading (within a network), it does not stop WannaCry ransomware from running when clicked upon within in a phishing email attachment or link.

To prevent execution update your anti-virus and be vigilant with scam (phishing) emails with enticement o click on links or open attachments.

Microsoft has released patches for their non-supported Windows platforms, including Windows XP and Windows Vista. The Microsoft overview can be found on their Technet blog - 

Controlling an ongoing WannaCry Mass Infection
Where there are multiple malware infections detected, the priority is to contain the spread of the ransomware and the subsequent impact. This means powering off any potentially vulnerable systems and disconnecting them from the network immediately. Before re-connecting any potentially vulnerable system, apply all the security updates and then run a full anti-virus (AV) scan to check for the presence of the malware, and make sure your AV product is able to detect WannaCry, which most common AV products now are.

A comprehensive guide to the WannaCry/WannaCrypt outbreak can be found here

Worried about a Mass Infection at your Business
If your organisation is yet to be infected by this malware and you are concerned, ensure the MS17-010 update is applied on all Windows devices, check Anti-Virus definitions are up-to-date and consider disconnecting from all third party networks until you are certain all systems are fully protected.

Infected: Should I Pay the Ransom to get my Data Back?
I do not recommend paying a ransomware ransom. At this point in time, there is no workaround to decrypt WCry (.wcry) encrypted files. Bitcoin intelligence shows people are paying the WannaDry ransom, and according to reports those that are paying are slowly receiving working keys to decrypt their WannaCry data.

If you don't plan to pay and there is data encrypted (not backed up) you want to keep, I suggest keeping a backup or drive image of the infected systems/encrypted files, as it might be possible to decrypt the data in the future. 

Beware of Bogus Ransomware Removal Tools, there are plenty of dodgy websites offering fake ransomware recovery software or instructions to install further malware. Such illicit tools often come with a price and can destroy any hope of file recovery, so avoid any tools from untrusted online vendors.

WannaCry Removal 
I recommend completely wiping any infected system's hard drive, and recovering data from a recent non-infected clean backup, and obviously ensuring all those Microsoft security updates are applied and anti-virus is running and up-to-date. If you do want to remove the WannaCry ransomware infection without wiping, see - WCry Removal Instructions.

Why is NHS so badly Hit?
Going off tweeted screenshots of the NHS WCry infections, there still appears to be many instances of Windows XP used within the NHS. Windows XP is a long-outdated operating system and has been unsupported for security updates by Microsoft for a number of years. This means Windows XP is completely open to infection by WCry and other forms of malware, although Window XP's security can be beefed up using application whitelisting, I personally wouldn't recommend using it as an operating system due to its insecurity. 

To compound problems staff working within the NHS have been describing a flat network via social media, so instead of a network of firewalled ring-fenced small network segments, it suggests the NHS has a large open network, which allows network self-propagating malware like WCry to spread far and wide rapidly throughout the organisation. 

The advice initial advice is to upgrade away from Windows XP to a supported operating system ASAP, that's a bit tricky for a cash-strapped organisation like the NHS I know. However IT systems are critical components of the overall health service provision, and as such, they should not be neglected when comes to prioritising budgets. Given it is the NHS, I believe the political ramifications of this cyber attack are going to go on for some time, make no mistake what happened with the NHS today is a world-class landmark cyber attack, we'll be talking about it for years within the cybersecurity industry. 

Could it be Cyber Terrorism or a Nation-State Cyber Attack?
As reports of this global cyber attack initially flooded in, the first thought was it could be Cyber Terrorism or a Nation-State orchestrated, given the same ransomware-type had been reported attacking organisations on mass. The fact 'national infrastructure' type organisations like Telefonica and utility gas firms like Iberdrola were hit could be seen as a smoking gun on a more sinister intent behind the attack than criminal money-making. It certainly fits the objective of a cyber-terror attack, spreading fear by causing public mayhem, and placing lives at risk by closing down country-wide critical services, especially health services. However I believe these attacks are unlikely to be terror or nation-state related, we'll have to wait until more details about how the ransomware initially infiltrated these organisations to be certain. Ransomware is predominately a cyber-criminal tool, so perhaps this is a case the malware's 'network worm' propagating element being over successful, as all cybercriminals want is to get paid the ransom, not kill services, and in the case of WannaCry, we know the bad guys are getting paid ransoms.

Update 2021: A North Korean state associated threat actor group named 'The Lazarus Group' was widely blamed for this attack by security researchers, and specifically by both the UK and United States governments and security services. The excellent "The Lazurus Heist" podcast by the BBC tells you everything you to know about The Lazarus Group, with epsidoe 10 specially covering the WannaCry attack - see 
BBC Sounds - The Lazarus Heist - Available Episodes

Above all, today's cyber attack impact serves a harsh lesson to what can go wrong when organisations ignore years of warnings to upgrade unsupported operating systems, and the necessity to apply critical security patches soon after release.

No comments: