WannaCry

High
23 October 2017

WannaCry ransomware affecting organisations globally

13 May 2017

The ACSC is aware of a large-scale ransomware campaign that is impacting many organisations globally. The campaign is variously known as ‘WanaCrypt0r’, ‘WanaCry, ‘WannaCry’, ‘WanaDecryptor’ or ‘Wana’.

The ransomware leverages publicly known vulnerabilities in Microsoft Windows. Microsoft published patches to remove these vulnerabilities in March 2017.

Recommendations

CERT Australia recommends affected partners carry out the following actions:

Additionally, Microsoft has released advice and a special hotfix for Windows XP, Server 2003, and Windows 8 RTM. More detail is available on Microsoft’s Customer guidance, Blog, and Security updates pages.

Details

Initial Infection Vector

Current reports and analysis suggest the initial infection vector has not been identified. While spear phishing or waterholing may be vectors, there is currently no evidence of this.

Propagation

The installer (when the kill switch is not available and has executed) is responsible for spreading and infecting other machines. This is determined by identifying socket connections for port 445 (SMB) on randomly generated IPv4 addresses.

Further details are available on the Endgame website.