WannaCryptor
WannaCryptor

By this morning it was reported that at least 200,000 computers in some 150 countries had been hit by the WannaCrypt0r 2.0 ransomware which struck last Friday, using the EternalBlue exploit to leverage the MS17-010 vulnerability in Microsoft operating systems. However, Ciaran Martin, CEO of the NCSC announced on BBC news at lunchtime that there had been no new infections, that the impact was at the lower end of expectations, and no second wave attack had yet happened.

In the UK over the weekend 48 National Health Service (NHS) trusts in England plus 13 in Scotland reported problems at hospitals, doctor surgeries or pharmacies. Meanwhile, the Spanish telecommunications operator Telefonica, Russia's Interior Ministry and Sberbank, Germany's Deutsche Bahn rail network, French carmaker Renault, plus FedEx in the US were also hit.

The current spread is being logged on the following map.

There were still half a dozen NHS trusts reporting difficulties this morning, despite the spread of the initial exploit being halted inadvertently by a researcher who registered a domain to track its spread (see separate story to come). And the fear was that both the original attackers, presumed cyber-criminals, and others, could jump on the bandwagon to exploit this vulnerability with different ransomware or new versions of the original attack.

Governments, law enforcement and the industry have all rallied to respond and provide remediation advice, but their approaches and emphasis have differed, including their apportioning of responsibility, from blaming industry, to government, to users. (see separate story).

In a statement issued by the National Cyber Security Centre (NCSC) it was reported that while there appear to be no sustained new attacks of that kind, compromises of machines and networks that have already occurred may not yet have been detected. Therefore given that existing infections from the malware can spread within networks, “it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale”.

The first response is thus to limit the spread and impact of attacks that have already occurred and many companies, and the NCSC itself, have published guidance, both to patch for this attack and how to protect from ransomware generally

Secondly, it is acknowledged by the NCSC that it is possible that a ransomware attack of this type and on this scale could recur, “though we have no specific evidence that this is the case.” It advises that the public and organisations undertake three simple steps:

  1. Keep your organisation's security software patches up to date

  2. Use proper antivirus software services

  3. Most importantly for ransomware, back up the data that matters to you, because you can't be held to ransom for data you hold somewhere else.

Home users and small businesses are advised to:

  1. Run Windows Update

  2. Make sure your antivirus product is up to date and run a scan – if you don't have one install one of the free trial versions from a reputable vendor

  3. If you have not done so before, this is a good time to think about backing important data up – you can't be held to ransom if you've got the data somewhere else.

Ciaran Martin, CEO of the NCSC, issued a statement on the organisation's website. “The National Cyber Security Centre is working round the clock with UK and international partners and with private sector experts to lead the response to these cyber attacks,” he said.

“The picture is emerging that this is affecting multiple countries and sectors and is not solely targeted at the NHS. As the Prime Minister said, we have no evidence that UK National Health Service patient data has been stolen. We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.”

Microsoft has issued a public patch for the now unsupported Windows XP operating system as well as previous versions Windows 8 and Windows Server 2003. In a blog post, Brad Smith, president and chief legal officer at Microsoft, said, “We've been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported.”

He then went on to both admonish the authorities for not reporting vulnerabilities and looking at what industry could do to help, reminding readers that Microsoft developed and released the patch in March, plus “a prompt update on Friday to Windows Defender to detect the WannaCrypt attack, and work by our customer support personnel to help customers afflicted by the attack.”

He also pointed out that the fact that so many computers remained vulnerable two months after the release of a patch means, “they're [customers] literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it's something every top executive should support.” And that meant seeking to ensure security updates are applied immediately to all IT environments.

Finally, Smith condemned stockpiling of vulnerabilities by governments, saying, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber-security threats in the world today – nation-state action and organized criminal action.”

He continued, “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyber-space to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention' to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

Given the demands for cash, and their low value, as well as the variety of victims, and countries impacted, it is assumed that the culprits are cyber-criminals rather than a nation state, thus it falls to international law enforcement to catch them.

The European Cybercrime Centre, EC3, at Europol has issued a statement that the attack will, “require a complex international investigation to identify the culprits. The Joint Cybercrime Action Taskforce (JCAT), at EC3 is a group of specialist international cyber investigators and is specially designed to assist in such investigations and will play an important role in supporting the investigation.”

Among other industry observations in emails to SC:

Myles Bray, EMEA VP, ForeScout Technologies Inc noted, “shutting down entire networks and hospitals is unnecessary. Technologies exist today that allow hospitals to quarantine and isolate affected devices while the network as a whole continues functioning.

"Hackers are specifically targeting healthcare, and other organisations that cannot afford for their systems or internet connected devices to be down for even a minute. The only way to protect against this is to have complete visibility of all devices on a network at all times, and the ability to understand and control the devices and their levels of access across the organisation's network. Given the lack of security built into many devices from manufacturers, this is something that organisations like the NHS need to apply for themselves."

Adam Meyers, vice president at CrowdStrike, said, “It is important to recognise that patch roll-outs are complex. High profile patch fiascos have made IT departments wary of automatic patch installations. Organisations often run testing, to double check that applying the patch does not knock over their IT systems. Any window between the known vulnerability and the patch is critical. Two months arguably is too long. But, organisations need an intelligent endpoint protection system that can operate at machine speed during that window of opportunity.

“The WannaCry infestation needs to force a shift in the security paradigm. The best defence to wide scale cyber security is a crowdsourced response. This is about pulling together what we have learnt on one machine, one endpoint and applying that learning to help defend other networks. Once this attack is over, the next step has to be attribution and bringing the perpetrator to justice.”

Karl Sigler, threat intelligence manager at Trustwave, said, “Despite a patch being available, this didn't appear to slow WannaCry down. While many blame system administrators for not patching the systems under their control, a complicating factor is the still widespread prevalence of Windows XP and Windows Server 2003. Both of these operating systems have passed their ‘end-of-life' and are no longer issued patches.”

However, he acknowledged that Microsoft made the rare move of pushing out a patch to those end-of-life systems even though the company wasn't obligated to do so.