CHERTOFF GROUP ALERT: WANNACRY RANSOMWARE CAMPAIGN

• A ransomware variant named WannaCry has caused widespread impact across continents and continues to impact organizations today. At current count, 200,000-plus machines across more than 150 countries have reportedly been affected by this campaign, allegedly leveraging NSA know-how leaked earlier this year.
• WannaCry leverages a Microsoft Windows vulnerability found in a number of Windows operating systems to gain control of machines and spread internally. Hackers are leveraging the exploit to encrypt compromised devices, rendering them useless. Those responsible have then demanded the equivalent of $300 per impacted device in Bitcoin. Reports indicate that, to date, the Bitcoin wallets associated with WannaCry have received less than 20 Bitcoin in total.
• The vulnerability in question was allegedly discovered by NSA and may have been leveraged for intelligence gathering purposes. It was leaked in April by the Shadow Brokers hacking group, making it widely known to the hacker community. If accurate, this would be first reported ransomware campaign to use tools in the wild exposed in the recent Shadow Brokers data dump.

Why it’s important

• While ransomware is nothing new, there appears to be a level of automation in WannaCry that makes its potential ability to scale alarming. News reports indicate WannaCry surfaced only two weeks ago – with not much activity until May 12, when something caused it to rapidly spread.
• According to US-CERT, WannaCry gains access to servers either through Remote Desktop Protocol (RDP), allowing access to machines remotely, or through a weakness in Windows Server Message Block (SMB), which allows computers to share files and other resources. More specifically, the infected machine appears to scan internally looking for other devices with exploitable vulnerabilities. This has enabled WannaCry to spread rapidly from one host to the next on networks across the world.
• Experts have also reported that email phishing attacks constitute one possible vector for initial compromise, although WannaCry appears to have been a predominately network-based attack.
• While a patch had earlier been released (the original patch MS17-010was distributed March 14, 2017), the reality is that many organizations are slow to implement patches for a variety of reasons (e.g., competing priorities on often over-taxed IT teams, desire to test patches before implementing them to ensure the patch itself won’t break something, etc.)

Who has been impacted?

• Initial reports detailed incidents at hospitals, doctors’ offices and other healthcare institutions across greater London and Northern England (the UK’s National Health Service issued alerts about disruptions at 16 organizations in the UK).
• Spain’s Computer Emergency Response Team (CCN-CERT) also issued disruption alerts, and news reports indicated Spain’s Telefonica told employees to shut down infected computers and to wait for instructions about what to do next.
• Large-scale infections have been reported across the globe with Russia, China, Ukraine and India reportedly seeing extensive infections. The United States, Taiwan, France, Japan and a number of other countries have also been impacted.
• Experts generally agree that this outbreak will continue to spread until preventative measures are put in place such as patching the MS17-010 vulnerability and ensuring security tools are updated for relevant “indicators of compromise” (IOCs), i.e., malware signatures, file hashes, host names, filepaths, etc.

What’s next?

• Sources close to The Chertoff Group have expressed concern that the impact is likely to spread:
  • In general, global traffic on a Friday for the Americas and Europe is lower than at other points during the work week — even more so during Saturday and Sunday.
  • Security experts are concerned about the potential for increased spread of WannaCry impacts as employees return to work and begin using machines today (May 15).

• Experts are also concerned about the potential proliferation of “copycat” scenarios where adversaries modify and/or mimic the WannaCry model but enhance it with their own novel variants.
  • For example, experts expect that updated versions of WannaCry will have removed a key design flaw cited in the media. In the current version, there is a domain address buried in the malware’s code, which the malware checks to see if it the domain is dormant and inactive. If it is, then WannaCry continues to actively propagate from the infected device. However, if the domain has been activated (by registering it), the malware stops functioning. Experts are calling this domain on-off WannaCry’s “kill switch.” Future versions will likely have this feature removed so that the “kill switch” no longer exists.

What it means for you. The nature of the threat underscores the importance of a layered defense.

For executives 

• Governance and risk management (assess, mitigate, monitor). Understand your most critical assets – applications, users, and business processes. Talk to your security teams about the use of a layered defense, including for example segmenting these assets to limit their exposure to malicious activity already inside your network. Conduct focused testing and audit to ensure that security tools are fully implemented and operating effectively.
• Information sharing. Discuss whether your firm participates in an Information Sharing and Analysis Organization so that, as new threat information becomes available on WannaCry variants or other attacks leveraging Shadow Brokers disclosures, your security teams know about it and can act on it.
• Asset, configuration and vulnerability management. When patches are released by software vendors like Microsoft, can your firm find and remediate at-risk assets comprehensively and quickly? A dramatic increase in “endpoints” across many organizations can complicate these tasks, so consider a comprehensive endpoint management plan (people, process and technology) to include asset, configuration and patch management.
• Third party risk management. Talk to your business, security and procurement teams about controls on third party access to your network, as well as contingencies for when a critical third party is incapacitated by an attack.
• Incident management.  Ransomware has become a very popular form of malware. What if your firm is victimized by a WannaCry variant?  Will the incident response and business continuity/disaster recovery program limit the damage?  Are there protocols in place for accessing bitcoin?
• Culture and training are important. Everyone in your firm should know basic cyber hygiene.
  • Understand the risks of clicking on links or opening attachments sent via email, particularly from untrusted users.
  • Understand the risks of downloading software from Internet websites, particularly from untrusted websites.
  • Understand what to do if you suspect your device has been compromised.

For practitioners 

• First and most obvious, refer to Microsoft Security Bulletin MS17-010and leverage the security update information provided in the Bulletin. Also review the US-CERT Alert TA17-132A on WannaCry and TA16-091A on ransomware in general.
• The EternalBlue and DOUBLEPULSAR vulnerability leveraged by WannaCry was not the only vulnerability disclosed by Shadow Brokers, so it is recommended that organizations urgently review patches related to the April leak (see, e.g., https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/) and ensure they have been implemented.
• *Conduct internal and external scans for SMB ports, and where practicable consider isolating and restricting the SMB protocol (particularly SMB v1) as it is reportedly being leveraged by the malware (https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012).
• Conduct targeted education and awareness with users. Alert them to the potential implications of this attack and the need to exercise extreme caution in opening emails, clicking on attachments, visiting untrusted sites, etc.
• Consider implementing and then properly configuring email filtering tools to block executable content from reaching end users, and disabling macros in Microsoft Office products transmitted by email.
• Ensure anti-virus/malware detection tools are updated and conducting regular scans.
• To minimize internal spread, organizations should also consider limiting workstation-to-workstation communications, removing local administrative privileges on endpoints, applying application whitelisting capabilities and consistently implementing the principle of “least privilege.”
• As an additional preparedness measure, organizations should have comprehensive backup plans and practices in place to facilitate successful business continuity and disaster recovery.  Per US-CERT, backup copies of sensitive data should not be readily accessible from local networks.

Please contact us if you have any questions or concerns (info@chertoffgroup.com).

About The Chertoff Group

The Chertoff Group is a premier global advisory firm focused on security and risk management. The Chertoff Group helps clients grow and secure their enterprise through risk management, business strategy, and merchant banking advisory services. We apply our insights into technology, threat, and policy to help our clients improve their resiliency, build competitive advantage, and accelerate growth. The Chertoff Group, and its investment banking subsidiary Chertoff Capital, have advised on multiple M&A transactions totaling nearly $7 billion in deal value. Headquartered in Washington D.C., the firm maintains offices in Menlo Park and New York. For more information about The Chertoff Group, visit www.chertoffgroup.com.