InfoSec Blog - WannaCry Ransomware

WannaCry Ransomware Screen Capture

May 15, 2017

 

On Friday May 12th, a ransomware campaign (WannaCry) began to spread across the internet impacting thousands of systems at a large number of organizations including healthcare providers, corporations, and Universities around the world. While we have not seen any evidence of this malware here at the University of Guelph, it is extremely important that all users are aware of the threat and are on guard to protect our systems and data from it.

The intention of this blog post is to provide everyone on campus with a summary of the threat, what we are doing to protect the University, and give users additional security awareness material to use themselves and share with others.

 


 

What Can I Do to Protect Myself?

 

What is Ransomware?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems and files. Ransomware attempts to extort money from victims by displaying an on-screen alert which alerts the user that their system has been locked and their files have been encrypted. Users are told that unless a ransom is paid, access will not be restored and their files will be deleted after a period of time. The ransom demanded varies but is frequently between $200 and $400 dollars and must be paid in virtual currency, such as Bitcoin.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

 

What is WannaCry?

WannaCry is a new ransomware variant which spreads like a worm leveraging a Microsoft Windows vulnerability (MS17-010) to distribute itself. This is a SMB vulnerability with remote code execution options. Once a system is infected, user files are encrypted, additional malware is installed, and the ransomware attempts to spread across the network. Encrypted files contain the file extension .WNCRYT. Victims’ computers then proceed to display a message (pictured above) with a demand for $300 to decrypt the files and instructions on how to pay the ransom.

 

How Does This Ransomware Spread?

At this time the exact method of entry of the WannaCry ransomware is unknown, however phishing email messages is likely. Other institutions have warned their users about emails with subject lines such as:

  • Copy_[with Random Numbers]
  • Document_[with Random Numbers]
  • Scan_[with Random Numbers]
  • File_[with Random Numbers]
  • PDF_[with Random Numbers]

If you receive a message like this, please delete it immediately and report it to the CCS Help Centre.

Once the malware has been installed on a system, it has the ability to spread through the network to vulnerable systems using SMB file sharing. Therefore, it is extremely important that all systems on the network are patched, specifically for MS17-010 which was released in March 2017.

 

What Is Being Done to Protect the University?

CCS and the Information Security team have already taken several proactive steps to protect against this threat and will be closely monitoring the situation in the coming days. At this point we have taken the following actions:

  • Blocked traffic related to this threat at our network perimeter
  • Patched our managed servers and desktops against this threat
  • Added additional protection rules and emergency definition files to our centrally managed AV solution
  • Provided security awareness information to all IT groups on campus, including threat and patching information

 

If My System Is Infected Should I Pay the Ransom?

Any systems infected should be removed from the network immediately and the system must be reimaged completely before it can connect to the University network. Once reimaged, user data should be restored from backups. 

If your system becomes infected with ransomware, don’t pay!  Information Security strongly advises against paying ransom for a number of reasons:

  • Doing so will increase the likelihood of further attacks against the University
  • After paying ransom to unlock your files, you would not be able to trust the system or the integrity of data, as it could now contain additional malware, backdoors, or other malicious code. 
  • Payment is no guarantee that data will be released - these are criminals after all
  • Payment fuels the development of further tools, more campaigns, and funds other types of crimes that have a direct impact on all of us 

 

Additional WannaCry Information

 

Information Security Awareness Material

 

If the Information Security team can assist with any questions, please feel free to email the team at infosec@uoguelph.ca

 

Written by: Stephen Willem (Manager, CCS Information Security)