WannaCry ransomware affecting organisations globally
13 May 2017
The ACSC is aware of a large-scale ransomware campaign that is impacting many organisations globally. The campaign is variously known as ‘WanaCrypt0r’, ‘WanaCry, ‘WannaCry’, ‘WanaDecryptor’ or ‘Wana’.
The ransomware leverages publicly known vulnerabilities in Microsoft Windows. Microsoft published patches to remove these vulnerabilities in March 2017.
CERT Australia recommends affected partners carry out the following actions:
- Apply MS17-010 patches as soon as possible to prevent infection.
- If unable to patch then consider disabling SMBv1.
- Review and consider applying ASD Essential Eight mitigation strategies.
- Review the ETERNALBLUE and DOUBLEPULSAR fact sheet and carry out appropriate remediation.
- Review logs for unusual SMB traffic.
- Ensure important data is backed up to an offline location.
Additionally, Microsoft has released advice and a special hotfix for Windows XP, Server 2003, and Windows 8 RTM. More detail is available on Microsoft’s Customer guidance, Blog, and Security updates pages.
Initial Infection Vector
Current reports and analysis suggest the initial infection vector has not been identified. While spear phishing or waterholing may be vectors, there is currently no evidence of this.
The installer (when the kill switch is not available and has executed) is responsible for spreading and infecting other machines. This is determined by identifying socket connections for port 445 (SMB) on randomly generated IPv4 addresses.
Further details are available on the Endgame website.