InfoSec Blog - WannaCry Ransomware
May 15, 2017
On Friday May 12th, a ransomware campaign (WannaCry) began to spread across the internet impacting thousands of systems at a large number of organizations including healthcare providers, corporations, and Universities around the world. While we have not seen any evidence of this malware here at the University of Guelph, it is extremely important that all users are aware of the threat and are on guard to protect our systems and data from it.
The intention of this blog post is to provide everyone on campus with a summary of the threat, what we are doing to protect the University, and give users additional security awareness material to use themselves and share with others.
- What Can I Do to Protect Myself?
- What is Ransomware?
- What is WannaCry?
- How Does this Ransomware Spread?
- What is Being Done to Protect the University?
- If My System is Infected Should I Pay the Ransom?
- Additional WannCry Information
- Additional Security Awareness Material
- Patch Your Systems - Patches for MS17-010 can be found on the Microsoft website (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx and www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
- Update AV - Ensure your anti-virus application is updated with the latest protections
- Backups - Take regular backups of your data
- Use Central Storage - Use a central storage service such as CFS for critical data. CCS central storage is regularly backed up and can be restored very quickly.
- Practice safe web browsing habits - keep your browser and extensions patched, do not click on pop-ups, use a pop-up blocker, avoid clicking on unknown links, and only visit known trustworthy sites.
- Practice safe email habits - know how to spot a phishing message, verify links before clicking on them, know how to spot a fake login page, and check our Phishing and Scams feed
Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems and files. Ransomware attempts to extort money from victims by displaying an on-screen alert which alerts the user that their system has been locked and their files have been encrypted. Users are told that unless a ransom is paid, access will not be restored and their files will be deleted after a period of time. The ransom demanded varies but is frequently between $200 and $400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
WannaCry is a new ransomware variant which spreads like a worm leveraging a Microsoft Windows vulnerability (MS17-010) to distribute itself. This is a SMB vulnerability with remote code execution options. Once a system is infected, user files are encrypted, additional malware is installed, and the ransomware attempts to spread across the network. Encrypted files contain the file extension .WNCRYT. Victims’ computers then proceed to display a message (pictured above) with a demand for $300 to decrypt the files and instructions on how to pay the ransom.
At this time the exact method of entry of the WannaCry ransomware is unknown, however phishing email messages is likely. Other institutions have warned their users about emails with subject lines such as:
- Copy_[with Random Numbers]
- Document_[with Random Numbers]
- Scan_[with Random Numbers]
- File_[with Random Numbers]
- PDF_[with Random Numbers]
If you receive a message like this, please delete it immediately and report it to the CCS Help Centre.
Once the malware has been installed on a system, it has the ability to spread through the network to vulnerable systems using SMB file sharing. Therefore, it is extremely important that all systems on the network are patched, specifically for MS17-010 which was released in March 2017.
CCS and the Information Security team have already taken several proactive steps to protect against this threat and will be closely monitoring the situation in the coming days. At this point we have taken the following actions:
- Blocked traffic related to this threat at our network perimeter
- Patched our managed servers and desktops against this threat
- Added additional protection rules and emergency definition files to our centrally managed AV solution
- Provided security awareness information to all IT groups on campus, including threat and patching information
Any systems infected should be removed from the network immediately and the system must be reimaged completely before it can connect to the University network. Once reimaged, user data should be restored from backups.
If your system becomes infected with ransomware, don’t pay! Information Security strongly advises against paying ransom for a number of reasons:
- Doing so will increase the likelihood of further attacks against the University
- After paying ransom to unlock your files, you would not be able to trust the system or the integrity of data, as it could now contain additional malware, backdoors, or other malicious code.
- Payment is no guarantee that data will be released - these are criminals after all
- Payment fuels the development of further tools, more campaigns, and funds other types of crimes that have a direct impact on all of us
- PowerPoint Presentation Overview of WannaCry (SANS)
- Technical Analysis of WannaCry (McAfee)
- NEW - Microsoft WannaCry Ransomware Customer Guidance
- NEW - Decryption Tool for All Windows Versions
- NEW - Decryption Tool for Windows XP
- NEW - SANS Lessons from WannaCry
- Security Awareness Ransomware Module
- Protect Yourself from Ransomware
- Do You Know How to Recognize a Phishing Scam?
- NEW - Ransomware: Best Practices for Prevention and Response
If the Information Security team can assist with any questions, please feel free to email the team at firstname.lastname@example.org
Written by: Stephen Willem (Manager, CCS Information Security)