Executives in charge of security should immediately warn employees against opening any suspicious Word documents and apply patches to any legacy Windows systems to avoid falling victim to a ransomware attack that is sweeping the globe.
Several antivirus vendors, including Kaspersky, are reporting an attack that has compromised tens of thousands of computers across as many as 100 countries. The U.K. is among the hardest hit, with its National Health Service being disrupted. European telco Telefonica as also affected. According to CBC.ca, Lakeridge Health hospital in Oshawa, Ont., says its systems detected an attempted attack but it was deflected by endpoint software. The Communications Security Establishment (CSE), which is responsible for securing Canadian government systems, issued a statement saying, “There is no indication that any [federal] information, personal or otherwise, was compromised.”
“We continue to work to ensure CSE’s dynamic cyber defence security systems are and will continue to be ready to defend Government of Canada systems against these and future types of similar attacks,” the statement said.
While a key URL that enabled the worm’s spread has been disabled, the ransomware can still spread to unpatched systems running legacy versions of Windows and requiring a proxy to access the Internet – the norm for corporate networks.
The malware being used to orchestrate the attack is ransomware that’s been weaponized with the EternalBlue worm, a piece of National Security Administration spy kit that was leaked by a group called The Shadow Brokers in April. It’s unknown who is behind the attacks.
Here’s what EternalBlue looks like in action:
The WannaCrypt or WannaCry virus targets all Windows versions prior to Windows 10 that did not patched for MS-17-010, which Microsoft released in March. The malware is being delivered in an infected Microsoft Word file that is sent in an email, disguised as a job offer, an invoice, or another relevant document.
Once opened, the ransomware encrypts a user’s files and demands that $300 to $600 in Bitcoin be sent as payment to restore them. A countdown timer appears, suggesting a limited amount of time to pay before the files are deleted for good.
Protecting against the attack
Microsoft issued customer guidance on Friday addressing the attacks. It explains that machines that have Windows Update enabled are protected. Those that don’t have it enabled should immediately deploy Microsoft Security Bulletin MS17-010.
Microsoft also updated its Windows Defender software to detect the threat. Many other antivirus products also protect against the threat. It also issued patches for its OS versions that no longer receive general support, including Windows XP, Windows 8, and Windows Server 2003.
An analysis by Malwarebytes finds the worm tries to connect to a website at URL www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, but that address is now sinkholed, with the host now resolving to an IP address that hosts a website. As a result, nothing will happen on new systems running the infected file unless that system requires proxy access to the Internet.
Microsoft says the threat could evolve over time and says customers should consider disabling legacy Server Message Block (SMB) communications on your network – SMBv1, and temporarily SMBv2 and SMBv3.
Cisco Systems’ Talos threat intelligence service says that in accordance with known best practices, any organization that has SMB publically accessible via the Internet (ports 139, 445) should immediately block inbound traffic.