On Friday, May 12, 2017 the world started seeing the results of a new strain of ransomware that has now infected over 200,000 Windows machines in over 150 countries (and counting) with devastating results to some healthcare organizations.
In April, a group called Shadow Brokers released a set of National Security Agency (NSA) exploits for all Microsoft Windows Operating System (OS) versions. Part of release was the ExternalBlue exploit which is the basis for Wanna.
Wanna is a Trojan that morphs into a worm, most likely originating in a Phishing e-mail. Once a machine is infected, the Trojan morphs into a worm and spreads itself very quickly to other devices on your network.
Ransomware is designed to hold your data files or systems hostage until you pay a fee to unlock them. The fee (payable in untraceable bitcoins) to decrypt your files or systems starts at $300, doubles to $600 after three days, and threatens to delete all files after 7 days.
Microsoft released the fix for the ExternalBlue exploit on March 14th. All supported OS versions were provided the update via the Microsoft Updates site. Systems which were loaded with the March updates are not vulnerable to the ExternalBlue exploit. Noticeably absent from those updates were OS versions that were old and no longer supported, most notably Windows XP and Windows Server 2003.
Microsoft released system updates for Windows XP and Windows Server 2003 on Saturday, May 13th to address the exploit in those systems after the overwhelming success of Wanna. Windows XP and Server 2003 have been unsupported since 2014.
Healthcare organizations of all sizes have been devastated by the consequences of a Wanna infection. The largest example is the National Health Service (NHS) in England, where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work. St. Bartholomew’s Hospital in London had to turn away all patients and divert all emergencies to other facilities.
The NHS was vulnerable because 90% of their systems still run Windows XP, three years after end of Microsoft support and 16 years after it was first introduced. Microsoft only released security patches monthly on supported OS versions.
What should we be doing?
Here is the list of tactical, short-term things to be doing immediately to address the ExternalBlue exploit:
- Update your Windows devices with the latest security patches released from Microsoft directly from the Microsoft Update site.
- Embedded Windows devices (phones, printers, network devices, etc.) need to be identified. Once identified, contact the manufacturer and determine when the updates for that device will be available. If possible, remove the embedded Windows device(s) from your network until updates are available. If not, segregate that device as best as possible.
- Contact your malware/anti-virus vendor and ensure they have provided the latest updates for detection and correction of Wanna. It will not fix the OS vulnerability but will stop Wanna from running. Deploy those latest definition updates immediately.
- Backup your critical systems. This should be occurring anyway but now is not the time to assume! And keep doing frequent backups until you are certain the ExternalBlue exploit security patches are installed. And test the restore of that backup data. A backup is no good if you cannot restore the data from it.
- Contact any Business Associate that maintains critical systems and ensure they are protected. Demand proof from them, not just a verbal OK.
Here is a list of longer term, strategic items (not inclusive, but addresses ExternalBlue-like exploits):
- Review all systems in your network and upgrade to a supported OS.
- Ensure all OS security patches are installed on your systems within 30 days after release.
- Ensure malware/anti-virus updates are installed shortly after release.
- Ensure backups of critical systems are occurring and the restoration of that backup data has been tested and is known to work.
If you are unlucky enough to be affected by Wanna, here are a few steps to take (your environment may dictate other options):
- Do not pay the ransom unless you have no alternative. Do not give the hackers any money as it only encourages the continued attacks.
- Update all systems (even those infected).
- Restore those affected systems from the last good backup.
- If desktops are affected (and do not contain critical business data), destroy them and rebuild from a good baseline image and apply all patches before returning to service.
Unfortunately, once you are infected there is no easy correction. Once the files have been encrypted no malware removal software will help. Every machine was encrypted using a different encryption key, which only the hackers have access to. They are the only ones who can provide the key to decrypt.
The Wanna is a warning to all who were not affected that your systems are at risk of being compromised every day. You must exercise due care in keeping your system up to date. Adding those “defense in depth” layers to your system(s) which would help keep attackers at bay and assist in recovering if you are affected.