Currently we are seeing a large scale ransomware outbreak. This ransomware outbreak is more devastating than others because it spreads laterally.
Who does it affect:
Any Windows computer without Windows Patch MS17–010.
What to do:
Apply patch MS17–010 immediately.
The key factor in the ‘success’ of this malware strain called WannaCry is its lateral movement within networks. To achieve lateral network it leverages a bug in Windows SMBv1 and SMBv2. This bug has been found by the NSA and recently cybercriminals that call themselves “The Shadow Brokers” released all of the details of this bug to the public.
On March 14th Microsoft officially released a patch for this bug. And today
May 12th Cyber criminals have been successful in implementing this bug in their malware strain. Resulting in the damage we see today.
Spreading of this Ransomware strain starts through the normal routes. A spam email is sent containing a malicious link or a malicious document. Once a target activates the malware by either clicking the link or opening the document the malware will hold the computer hostage until a ransom is paid. It does this by encrypting all of the files on the system with an encryption key.
Once a ransom is paid a decryption key is supplied to the customer to decrypt the computer and its files.
Thus far this is ‘normal’ ransomware behavior. But this malware starts, once a victim is infected scanning the internal network looking for vulnerable other Windows system that didn’t apply the MS17–010 patch. If it finds a vulnerable system it will infect that system as well.
The problem here is that often a company wide policy is applied to roll out patches. Especially in hospitals the IT department doesn’t directly roll out patches. They don’t do this because they are afraid systems might break because of the patch and want to test the patch first. This means, that if one computer within a company gets infected and the MS17–010 patch is not applied company wide… All of the Windows systems will get infected with the malware.
You can have as many backups as you want, but fighting a malware outbreak that infects all your Windows systems is very hard to combat. Anyone can imagine the impact of all Windows computers being disabled.
MS17–010 vs MS08–067
MS17–010 has close similarity with a previous patch named MS08–067. MS08–067 is a very famous bug within hacker communities because almost always guarantees you access within a network. Even after almost 10 years this bug is still very useful for penetration testers.
During the release of patch MS08–067 a major malware outbreak came to light. The malware responsible at the time was Conficker. Conficker spread all over the world and infected computers in many countries causing a lot of problems.
Conficker vs WannaCry
The difference between the Conficker malware at the time and this version of ransomware called WannaCry is that Conficker basically infected the computer but didn’t affect the computers ability to function and perform basic tasks. It did how ever download additional malware and tried to install fake antivirus. The WannaCry malware however is completely different. This malware strain basically cripples the computers capabilities. Normal tasks the computer performs cannot be done anymore. The computer basically stops working until you pay the ransom.
Because of this difference the devastating effect WannaCry will cause will be exceptionally bigger.
We have one advise. Apply patch MS17–010 NOW.