SOURCE: TUV Rheinland

TUV Rheinland

May 15, 2017 12:43 ET

TUV Rheinland - Security Advisory - WannaCrypt

Hundreds of thousands of machines infected by the global WannaCrypt ransomware outbreak; Patch your systems to avoid being the next victim

LITTLETON, MA--(Marketwired - May 15, 2017) -

What's happened? 
The WannaCrypt ransomware campaign began around 8 am UTC on Friday, May 12th, and has quickly gone global to become one of the largest ransomware attacks on record. At the time of writing, it was present in over 100 countries and had infected over a hundred thousand computers in some of the world's largest institutions.

Who is it affecting? 
The Russian Interior Ministry reported over a thousand of its computers infected, in the UK 48 NHS [National Health Service] trusts were disrupted, as were Deutsche Bahn computers in Germany. The private sector is also heavily impacted with infections at FedEx in the US, Telefonica, Iberdrola, and Gas Natural in Spain, Portugal Telecom, Scottish Power, Renault factories in France, and Nissan in the UK; to name but a few.

What is it and why has it been so effective?
Ransomware is nothing new, but what makes WannaCrypt different is its ability to self-propagate. It does this by exploiting a known vulnerability in Microsoft Windows Server Message Block (SMB) protocol [CVE- 2017-0145] which allows for remote code execution on a vulnerable system. Code named 'EternalBlue,' this particular exploit was stolen from the NSA's Equation Group and then later made public by the Shadow Brokers hacking group on April 14th, 2017.

However, Microsoft had already issued a patch for this vulnerability two months ago on March 14th, 2017 [MS17-010]. It's designed to attack Windows 7 and Windows Server 2008 (or earlier) systems and takes advantage of a vast number of systems in use that are unpatched.

How does it work? 
Once infected, a computer's files are encrypted and given a [.]WCRY file extension. The ransomware demands $300 in Bitcoin to be paid for each affected machine and goes on to threaten that, if payment isn't made within three days the ransom doubles to $600, and if not paid within a week, the files are deleted.

The initiating attack vector is most likely a Phishing attack designed to trick users into running the malware, or direct infection through the SMB exploit if a machine can be addressed. The threat arrives as a dropper Trojan that has two key components. The first tries to exploit the SMB vulnerability on other computers on the network, and the second is the WannaCrypt ransomware itself.

Importantly, the dropper tries to connect to the following domain using the API InternetOpenUrlA(). If successful, it acts like a 'kill switch,' and the threat does not infect the system further with the ransomware, it just stops. This characteristic of the dropper was identified by a security researcher in the UK, who quickly purchased the domain and stopped further global propagation; at least until a new variant is released into the wild.

If unsuccessful, the dropper creates a service named mssecsvc2.0 with the function to exploit the SMB vulnerability on other computers addressable from the infected system. It then goes on to create the registry keys, and file structure required to execute the encryption of the computer's files and issue the ransom via the desktop wallpaper.

What should you do to protect your organization? 

To avoid becoming the next victim of the WannaCrypt ransomware outbreak, you should:

1. Start by patching your systems

For Windows 7 and Windows Server 2008 system, this means applying the MS17-010 patch to address the SMBv1 Remote Code Execution vulnerabilities. Also, and due to the scale of the current outbreak, Microsoft has just released an out-of-band patch for older operating systems including Windows XP, Windows 8, and Windows Server 2003. Besides installing the updates, Microsoft also advises that the SMBv1 protocol is disabled, as it is an old protocol that has been superseded by newer versions. You should also consider adding a rule on your router or firewall to block incoming SMB traffic on port 445.

2. Get your backups in order

One of the most fundamental protections against ransomware is the ability to restore from recent backups reliably. You will want to have multiple backups, with the ability to rollback to any point in time, and these should not be connected to the source machine, or they could get encrypted as well. Various cloud service providers offer good options here, with many professional backup services available.

3. Reduce the likely success of phishing emails

Enable strong spam filtering to reduce the probability of phishing emails reaching end users. Authenticate inbound email using Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. Educate your users and outline the dangers and the potential impact of ransomware on your business. Make them suspicious of every email they receive that they are not expecting, every link and every attachment.

4. And if you become a victim?

If you do become a victim of the outbreak, do not pay the ransom. It only creates a viable market for cyber criminals and motivates future ransomware attacks. You also cannot be sure it will get you your files back. Instead, contact law enforcement, your trusted cybersecurity partner and provide them with relevant logs to aid their investigations.

If you need help? 
Please contact one of our regional cybersecurity executives for immediate assistance here.

About TÜV Rheinland:
TÜV Rheinland is a global leader in independent inspection services, founded 145 years ago. The group maintains a worldwide presence with 19,700 employees; annual turnover is more than EUR 1.9 billion. The independent experts stand for quality and safety for people, technology and the environment in nearly all aspects of life. TÜV Rheinland inspects technical equipment, products and services, oversees projects, and helps to shape processes and information security for companies. Its experts train people in a wide range of careers and industries. To this end, TÜV Rheinland employs a global network of approved labs, testing and education centres. Since 2006, TÜV Rheinland has been a member of the United Nations Global Compact to promote sustainability and combat corruption. Website:

Contact Information

    Frank Dudley
    Director Communications
    TUV Rheinland of North America, Inc.
    (978) 266-9500

    Carissa Ryan
    Scratch Marketing