Cisco UK & Ireland Blog

WannaCry outbreak: what we know so far

May 15, 2017

As news first broke of a ‘significant cyber attack’ on Friday afternoon UK time, it initially looked like a deliberate attempt on our national health service: they appeared to be hit by a ransomware campaign, which was designed to exploit any technology weaknesses, and bring their systems to a halt…unless they paid the cyber criminals a fee.

However, it soon became clear that as more and more countries came forward with their own similar reports, that this was a rapidly spreading global threat. No one industry was immune, and it definitely wasn’t your ‘usual’ case of ransomware…

This article by the New York Times includes an impressive visualisation to show how tens of thousands computers became infected across the globe…a lot of them simultaneously.

So what do we know about the attack so far?

Our threat intelligence experts, Cisco Talos, have done a terrific job over the weekend in educating people about the attack.  Here’s a quick summary:

The malware responsible for this attack is a ransomware variant known as ‘WannaCry’. WannaCry gets installed through a vulnerability in the Microsoft SMB protocol, not phishing emails or malvertising which is how ransomware normally gets distributed.

SMB is a network protocol used to share files between computers. One of the reasons that this ransomware spread so rapidly and so quickly is because of the fact that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement.

The malware is particularly effective in environments with Windows XP machines, as it can scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.

On March 14, Microsoft released a security update to patch this vulnerability. While this protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally.

This is particularly true of Windows XP computers which are no longer supported by Microsoft, as well as the millions of computers globally running pirated software, which are (obviously) not automatically upgraded.

Our threat intelligence team have been actively investigating this threat and their latest findings are here – this blog is being continually updated with new information as it comes to light so please do keep that link to hand.

I just wanted to point out a couple of really key paragraphs:

  • The malware has been designed as a modular service. It appears to us that the executable files associated with the ransomware have been written by a different individual than whomever developed the service module. Potentially, this means that the structure of this malware can be used to deliver and run different malicious payloads.
  • Organisations should be aware that there is no obligation for criminals to supply decryption keys following the payment of a ransom. Talos strongly urges anyone who has been compromised to avoid paying the ransom if possible as paying the ransom directly funds development of these malicious campaigns.
  • Organisations looking to mitigate the risk of becoming compromised should follow the following recommendations:

1. Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
2. In accordance with known best practices, any organisation who has SMB publicly accessible via the internet (ports 139, 445) should immediately block inbound traffic.

If you’re a Cisco customer and/or you have any questions about anything with regards to the nature of your cyber security, please get in touch with our team who are happy to help.

If you’d like to know more about how to keep Ransomware at bay, please visit our webpage here.

We’re going to be talking WannaCry, the recent OAuth phishing attack, and lots of other ‘top of mind’ cybersecurity challenges at InfoSecurity Europe which is taking place 6-8 June in London.  Please join us at the Cisco stand to learn lots of insights into how to effectively manage your security strategy.

Leave a comment