UPDATED: #WannaCry #WCry Ransomware: an International Cyber Threat

Last Updated: June 14, 2017

WannaCry: Touted as the World’s First Ever Ransomworm

WannaCry, also known as WCry, WNCry, WannaCrypt, WanaCrypt0r, and Wanna Decrypt0r, is widely touted as the world’s first ransomworm (i.e., a type of ransomware with the ability to self-propagate without user intervention or interaction).  Its reach has been of epidemic proportions worldwide.  The “success” of the WannaCry ransomware is based upon one tried and true fact: many individuals and organizations do not patch their systems in a timely manner.

The WannaCry ransomware has the capability to spread from machine-to-machine on the same network and—potentially--across the Internet.  Specifically, the WannaCry ransomware has a worm or worm-like component which is essentially a “spreader” that reportedly takes advantage of the SMB, NetBIOS, and RDP protocols.

Please note: The ransomware is rapidly changing and there are multiple variants—at least 65 variants of the WannaCry ransomware have been confirmed at this time.  (It is likely that this number will increase.) 

As a result, a very thorough risk assessment, especially of internet-facing ports and services, is highly recommended.  A thorough risk assessment of external-facing and internal-facing SMB ports is also highly recommended.  Assistance is available from the United States Department of Homeland Security’s US Computer Emergency Readiness Team (US-CERT) National Cybersecurity Assessment & Technical Services (NCATS) program.  To request an unauthenticated scan of your organization’s public IP address from the DHS NCATS program, please contact NCATS_INFO@hq.dhs.gov.

The WannaCry worm component exploits an SMB vulnerability disclosed (and patched) in MS17-010.  Microsoft has also released out-of-band security updates for Windows Server 2003 Service Pack 2 x64, Windows Server 2003 Service Pack 2 x86, Windows XP Service Pack 2 x64, Windows XP Service Pack 3 x86, Windows XP Embedded Service Pack 3 x86, Windows 8 x86, and Windows 8 x64 (not addressed in MS17-010).  Additionally, the WannaCry worm component reportedly uses NetBIOS and RDP to spread from host to host.  Thus, additional mitigation steps are recommended, such as considering either closing or restricting these ports (i.e., SMB, NetBIOS, and RDP). 

Please note: The following information is what is available at this present time.  However, the WannaCry ransomware threat is constantly evolving.  (It has been reported that the worm component of the WannaCry ransomware has been released in the wild, and thus, we expect to see many variants.  What may work in one situation may not work in another.)  Thus, this information is provided for your situational awareness based upon open source information to date.

Impacts on the Health Sector

Anecdotally, there have been reports by healthcare providers around the world (including the United States) of infections affecting their computers and embedded systems (including medical devices).  There have also been reports of vishing calls from individuals alleging that they are from Microsoft, requesting access to organizations’ systems to apply the above-mentioned SMB patch(es).  Finally, there have also been reports of the propagation of WannaCry ransomware through third party virtual private network (VPN) services.

Join the conversation on Twitter at #WannaCry and #WCry

Attack vectors and how victims are targeted

UPDATED: The WannaCry ransomware has been reported to propagate via Server Message Block (SMB) protocol.  According to analyst reports, there are multiple variants of the WannaCry ransomware.  Additionally, the WannaCry ransomware has two components: (1) a ransomware component and (2) a worm (or worm-like) component which enables it to spread laterally throughout an organization’s network without the need for human intervention.

Kill switches

The WannaCry ransomware has been quickly evolving.  In summary, there are multiple variants of the WannaCry ransomware.  The WannaCry ransomware includes a worm or a worm-like component and, thus, can spread without the need for human interaction.  Some variants have a kill switch and others have no kill switch at all.  Thus, the WannaCry ransomware is still a very serious international cyber threat due to the multiple variants of the ransomware.

Detection information – potential indicators of compromise

The following indicators have been confirmed by analysts.  Also attached here is a copy of the recent FBI Flash bulletin (TLP: White) (which may be freely distributed via public and private channels).

Please note: The ransomware is rapidly changing and thus these potential indicators of compromise may change. Thus, the following potential indicators of compromise may be associated with WannaCry ransomware.
MD5 3bc855bfadfea71a445080ba72b26c1c
MD5 4da1f312a214c07143abeeafb695d904
MD5 509c41ec97bb81b0567b059aa2f50fe8
MD5 5c7fb0927db37372da25f270708103a2
MD5 66ddbd108b0c347550f18bb953e1831d
MD5 7bf2b57f2a205768755c07f238fb32cc
MD5 808182340fb1b0b0b301c998e855a7c8
MD5 84c82835a5d21bbcf75a61706d8ab549
MD5 86721e64ffbd69aa6944b9672bcabb6d
MD5 b6ded2b8fe83be35341936e34aa433e5
MD5 b9b3965d1b218c63cd317ac33edcb942
MD5 db349b97c37d22f5ea1d1841e3c89eb4
SHA1 02408bb6dc1f3605a7d3f9bad687a858ec147896
SHA1 120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA1 432c1a5353bab4dba67ea620ea6c1a3095c5d4fa
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA1 4fdae49be25846ca53b5936a731ce79c673a8e1f
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA1 64b8e679727e99a369a2be3ed800f7b969d43aa8
SHA1 87420a2791d18dad3f18be436045280a4cc16fc4
SHA1 8897c658c0373be54eeac23bbd4264687a141ae1
SHA1 b629f072c9241fd2451f1cbca2290197e72a8f5e
SHA1 bc978db3d2dc20b1a305d294a504bb0ceb83f95a
SHA1 e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256 043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2
SHA256 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
SHA256 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
SHA256 76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf
SHA256 aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA256 c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA256 f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
SHA256 fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

UPDATED: Filenames: @WanaDecryptor@.exe, !WannaDecryptor!.exe, wnry.exe, wcry.exe

File extensions of encrypted files on infected machines: .wncry, .wcry, .wnry, .wncrypt

Additional indicators of compromise are available in the US-CERT bulletin on Indicators Associated with WannaCry ransomware and indicators of compromise for Alert No. TA17-132A.

Mitigation information

Mitigation steps for the WannaCry ransomware include the following:

  1. According to Microsoft, the MS17-010 security update should be deployed.  Microsoft also released out-of-band security updates for Windows Server 2003 Service Pack 2 x64, Windows Server 2003 Service Pack 2 x86, Windows XP Service Pack 2 x64, Windows XP Service Pack 3 x86, Windows XP Embedded Service Pack 3 x86, Windows 8 x86, and Windows 8 x64, accessible here.  Essentially, apply all appropriate patches supplied by Microsoft to vulnerability systems (ideally, after the patches have been tested by your organization).
  2. According to the Multi-State Information Sharing and Analysis Center (MS-ISAC):
    • Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after testing.
    • Run all software as a non-privileged user.
    • Do not visit untrusted websites or links.
    • Apply the principle of least privilege to all systems and services.
  3. Educate your staff on good cyber hygiene and practice good cyber hygiene throughout your organization to mitigate this and other threats.
  4. Deploy defense-in-depth at your organization. 
    • First, be sure to keep your firmware, systems, operating systems, applications, and devices up-to-date. 
    • Second, properly configure your firewalls and decide which traffic to let into and let out of your network. 
    • Third, make sure your anti-virus software and definitions are up to date. 
    • Fourth, deploy endpoint protection software solutions or appliances. 
  5. Special note: If a system may have infected with WannaCry ransomware, you may want to consider—if feasible--fully restoring from a most recent, clean (i.e., non-infected), and good backup (e.g., verified and validated). However, please also note: this will work so long as you are dealing with malware which does not persist after reboot, log-off, restart, etc.).

    You may have a greater level of assurance in a system that has been fully restored to a last good state, as opposed to a system which just has been “cleansed” of the ransomware (or where the ransomware has just been quarantined).
  6. For more cyber hygiene tips, please visit the HIMSS privacy and security awareness initiatives page.

FDA's Medical Device FAQ based on "Daily Sector Call" feedback:

What to do if you are the victim of ransomware or if you have cyber threat indicators to share

The following information is from the US Department of Health and Human Services.

  • Work with vendors or IT support staff to investigate and remediate systems exhibiting network-scanning activity consistent with WannaCry.
  • If possible, re-image potentially affected devices to mitigate risk that malware is on the system in the background.* (Author’s note: This will work so long as you are dealing with malware which does not persist after reboot, log-off, restart, etc.)
  • Work with vendors to make sure both the distribution stage and the encryption stage of WannaCry are detected and blocked.
  • If your organization is the victim of a ransomware attack, please contact law enforcement immediately.

Additionally, the US Department of Health and Human Services has provided the following guidance:

  1. Contact your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force immediately to report a ransomware event and request assistance.
  2. Report cyber incidents to the US-CERT and FBI's Internet Crime Complaint Center.
  3. For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov.
  4. If your healthcare facility experiences a suspected cyber-attack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1 (866) 300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.

Additional resources

  1. Microsoft Security Update Guide
  2. Technical Resources, Assistance Center, and Information Exchange (TRACIE) (ASPR/HHS)
  3. Last updated on June 13: Indicators Associated with WannaCry Ransomware (Update I)
  4. UPDATED: Patches That Fix the Vulnerability For MS17-010
  5. How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
  6. UPDATED: SMB Security Best Practices
  7. UPDATED: Malware Initial Findings Report 10124171
  8. UPDATED: Malware Initial Findings Report 10124171 (STX format)
Ransomware; WannaCry