WannaCrypt or the NHS Worm

As many of you will be aware, the NHS suffered from a mass outbreak of a ransomware worm last Friday which has since spread to many other organisations around the world. For more general information please see The Register’s article which is a good summary and links to more detailed works.

For various technical reasons we may be somewhat better protected than some organisations but it is also possible we may also fall victim to this. To help IS it would be helpful if you were to :-

  1. Be especially wary of unexpected mail attachments. The attack was alleged to have started with an emailed attachment. Even if the attack did not start via email, being wary is still good advice.
  2. Be especially wary of offers of protection. Even if they are from “Microsoft” (they likely are not). Scammers will use this opportunity to drag more money out of their victims.
  3. If you happen to be running an un-managed Windows system, please make sure that it is properly patched as soon as possible. In particular MS17-010 should be installed.
    1. In a small number of cases, managed Windows workstations may still be vulnerable if they have not been turned on and/or rebooted since the patch was released. Such machines should be rebooted as soon as possible.

How It Works

The initial infection will either occur via a malware infected email (once it is read or in some cases previewed), or via a vulnerability in the Windows file-sharing network protocol. There is currently no evidence to show that it started with a malware infected email (which we would normally expect at this stage), but neither is there evidence to show that it did not.

Once infected, the malware will try to encrypt files on all reachable drives and try to infect neighbouring machines using the previously mentioned Windows file-sharing vulnerability.

In circumstances where this vulnerability is very widespread, an entire organisation can be brought down.

The “Kill Switch”

The original malware would not try to infect a host if it successfully made a connection to a certain website address. This was an attempt at making it harder to analyse, but in this case failed.

A security researcher registered the relevant DNS domain so that connections were successful in what turned out to be an attempt to slow down the rate of infection.

However it may very well be the case that later versions of the malware have been released without the “kill switch”.

This entry was posted in Active Attacks. Bookmark the permalink.