SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Exclusive viewpoint: Self-propagating ransomware hits U.K & 90+ other countries
Tue, 16th May 2017
FYI, this story is more than a year old

The reports came swiftly on Friday morning, May 12 – the first I saw were that dozens of hospitals in England were affected by ransomware, denying physicians access to patient medical records and causing surgery and other treatments to be delayed.

Said the BBC,

The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down "one by one".

NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.

Throughout the day other, mainly European countries, reported infections.

Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.

The infections spread quickly, reportedly hitting as many as 100 countries, with Russian systems affected apparently more than others. What was going on? The details came out quickly: This was a relatively unknown ransomware variant, dubbed WannaCry or WCry; WCry had been ‘discovered' by hackers who stole information from the U.S. National Security Agency (NSA); affected machines were Windows desktops, notebooks and servers that were not up to date on security patches.

Most alarming, WCry did not spread across networks in the usual way, through people clicking on email attachments; rather, once one Windows system was affected on a Windows network, Wcry managed to propagate itself and infect other unpatched machines without any human interaction. The industry term for this type of super-vigorous ransomware: Ransomworm.

Ransomworms spread quickly

Knowing this was a ransomworm, rather than a normal ransomware, I turned to one of the experts on malware that can spread across Windows networks, Roi Abutbul. A former cybersecurity researcher with the Israeli Air Force's famous OFEK Unit, he is founder and CEO of Javelin Networks, a security company that uses artificial intelligence to fight against malware.

Abutbul told me, “The WannaCry/Wcry ransomware—the largest ransomware infection in history —is a next-gen ransomware. Opposed to the regular ransomware that encrypts just the local machine it lands on, this type spreads throughout the organization's network from within, without having users open an email or malicious attachment. This is why they call it ransomworm.

He continued, “This ransomworm moves laterally inside the network and encrypts every PC and server including the organisation backup.

The good news is that Javelin's software was able to prevent the spread of Wcry on their customers' computers, right out of the gate, explained Abutbul. “Javelin's solution is specifically designed to automatically detect, respond, and contain such spreading in a corporate network in real-time. This ransomworm specifically used Microsoft SMB vulnerability MS17-010 to spread internally (the same vulnerability the NSA utilized for a couple years and was recently exposed via the January NSA tools leak).

It's important to emphasise that this is not a hack created by the NSA. Rather, it's a Windows vulnerability that the NSA knew about, and which was disclosed in January 2017. Microsoft, like other vendors whose vulnerabilities were in the NSA data dump, moved quickly to fix the defect. The problem is that not all customers installed the patch. Microsoft Security Bulletin MS17-010, published on March 14, 2017, describes:

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

The bulletin goes on to say,

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Affected Windows systems include everything from Windows Vista, Windows Server 2008, Windows 7, Windows 8.x, Windows Server 2012, Windows 10 and Windows Server 2016.

Safe for now, but maybe not for long

The good news is Wcry burned quickly – and burned out, and within a couple of days, was no longer a serious threat, although we will hear for weeks about infected systems, because some organisations will be slow to install the patches in Microsoft's security update.

The bad news is that other ransomworms like this are probably out there. Roi Abutbul warned me, “This time, the attackers used an unpatched rare vulnerability, but there are many other ways to move laterally and spread inside the network. Javelin specifically focuses on the malicious lateral movement in its early phases and has the ability to stop every spread attempt regardless of methodology and help the organisation recover automatically.

The best advice: First, keep up to date on Windows patches. Too many organisations, particularly those in the public sector, or with limited IT resource like hospitals, defer the installation of patches. Second, use tools like those offered by Javelin Networks, to protect the network against known and unknown malware and attacks. If you're not patching, and if you're not using tools like this, there is zero doubt: You are vulnerable.