Ransomware has become such a pervasive threat to industry and the public at large, that it is now a household name. More recently, however, the vectors through which the virus spreads have changed, making ransomware more dangerous than ever before.
On May 12th, Reuters reported a number of high profile Spanish companies had been hit by a new strain of Ransomware called Wannacry, leading to significant disruption to business operations. 1 The Spanish National Cryptological Centre (CCN) have confirmed this report, and have labelled this a ‘massive attack,’ of a ‘very high’ severity, urging all systems administrators to take immediate action to mitigate vulnerability.
Additionally, reports are incoming from the UK where NHS sites have been targeted, forcing hospitals to divert patients3. Ward recommend that all our customers take immediate action to mitigate against the threat of the Wannacry ransomware.
What is Ransomware all about?
Ransomware is any program that either encrypts the affected user’s files or locks their device, leaving it in an unusable state, with the intention of demanding payment for the release or decryption of their files. The malware is spread most commonly via malicious links or attachments in spam emails or increasingly by infected 3rd party sites. In the past, strains of ransomware have included crypto-ransomware such as Cryptowall and Teslacrypt, which directly encrypts user files and folders ; and also Locker-ransomware, which saw a rise throughout 2016. Locker-ransomware, including variants such as Locky, and CryptoLocker, are typically transmitted through maliciously crafted Microsoft Office attachments.
Why You Should be Concerned?
The recent news reports coming out of Spain demonstrate that this variant of Ransomware is unlike any encountered before in that the virus is spreading by exploiting a Microsoft vulnerability. This particular strain is called Wannacry, and it spreads by using a samba vulnerability in Microsoft to infect shared drives within a networked organisation.
The Samba vulnerability is known to Microsoft, having been disclosed on March 14th, 2017, and affects most Windows version including the below;
- Microsoft Windows Vista SP2
- Windows Server 2008 R2 SP1 and SP2
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012 R2 and
- Windows 10
- Windows Server 2016
Ward recommend that systems administrators immediately take action to patch against this Microsoft vulnerability, thereby mitigating against the Wannacry ransomware virus.
Further details on this patch can be found on the Microsoft support site here: https://support.microsoft.com/en-sg/help/4013389/title
If you are using McAfee ePO we additionally recommend you create a custom access rule in AV to block *.wcry and *.wncry.
If you would like additional information or would like support in implementing preventative measures in your environment, please call us at +353 1 642 0100 or +44 (0) 28 9073 0188 e-mail us at email@example.com or firstname.lastname@example.org, as appropriate.