15 May 2017

WannaCry Ransomware used in large scale international attacks

This advisory has been updated from our original post on 13 May 2017. If you would like a copy of the previous version of our advice, please email comms@cert.govt.nz.

What's happening

Systems affected

A massive international ransomware campaign hit computer systems of private companies and public organisations around the world. This incident is being reported as the largest ransomware campaign to date. The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as 'Wana Decrypt0r,' 'WannaCryptor' or 'WCRY'), because the encrypted files extension is .wcry. Like other ransomware, WannaCry also blocks access to a computer or its files and demands money to unlock it. Early reports were that the ransom demanded was around $430NZD, though this may change over time.

There are reports of infection via a phishing email however these have not been confirmed. The ransomware has spread quickly via a vulnerability in machines running unpatched versions of Windows (XP through 2008 R2) by exploiting flaws in Microsoft Windows SMB Server. Once a single computer in a network is infected with WannaCry, the program looks for other vulnerable computers on the network and infects them as well.

This ransomware exploits a Windows vulnerability known as EternalBlue External Link , which was released by the Shadow Brokers hacking group over a month ago. Microsoft released a patch for the vulnerability in March (MS17-010) External Link .

What to do

Prevention

  • Make sure you have backed up your system and files stored securely, off-network.
  • Make sure you have patched your system. Organisations using any Windows system between XP to 2008 R2 should ensure that mitigations are in place, particularly the MS17-010 Microsoft patch. If you’re not patched, consider disabling SMBv1 (this will stop some file sharing).
  • Be careful when opening emails and clicking on links – read our phishing information to know what to look out for. These emails could be from anyone, including an email address you’re familiar with.
  • Microsoft have released updates for otherwise unsupported operating systems (OS), including Windows XP and Server 2003, which are available here External Link . Microsoft doesn’t officially provide support to these systems any longer, but have released this patch in response to the WannaCry spread. 
  • Make sure that firewalls and anti-virus software is installed, up-to-date, and fully operational
  • It is also important to ensure that staff are aware of this campaign, and reminded to be extremely vigilant with incoming emails containing links and attachments.

More information

The details on this release are relatively new and more information is coming to light constantly. For organisations that require further support or more specified advice, please log an incident on our website at cert.govt.nz. Similarly, if you have been compromised with this ransomware, please contact CERT NZ.