[BruCERT] "Wannacry" Ransomware targeting unpatched Windows systems

Background

Major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. BruCERT has not received any local reports of such attacks at the moment. This ransomware has the capability to spread over the network by scanning for vulnerable systems, and infecting them. It then encrypts files on the system, and exhorts a ransom payment in bitcoin for the decryption of files.

 Affected Systems

The following list of Microsoft Operating systems are known to be vulnerable if they have not been updated with the Microsoft Security bulletin (MS17-010-Critical) 

  • Windows 10 
  • Windows RT 8.1 
  • Windows 8.1 
  • Windows 7 
  • Windows Vista 
  • Windows XP 
  • Windows Server 2016 
  • Windows Server 2012 and Windows Server 2012 R2 
  • Windows Server 2008 and Windows Server 2008 R2 
  • Windows Server 2003

 

Affected Files Extension

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc,

Recommendations

  • BruCERT advises all users and companies with affected systems listed above to ensure that their Windows-based systems are fully patched. In particular, Microsoft Security bulletin (MS17-010-Critical) should be applied.
  • Additionally, Microsoft made the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download. (refer to the reference below)
  • Users should ensure that their anti-virus software is updated with the latest malware definitions.
  • Users should perform file backups and store them offline in case they need to restore their systems following an attack.
  • In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.

 

References

Massive ransomware attack hits 99 countries
http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microso...

Microsoft Security Bulletin (MS17-010-Critical) dated 14 March 2017
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Customer Guidance for WannaCrypt attacks
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-fo...