Last Updated: June 14, 2017
WannaCry: Touted as the World’s First Ever Ransomworm
WannaCry, also known as WCry, WNCry, WannaCrypt, WanaCrypt0r, and Wanna Decrypt0r, is widely touted as the world’s first ransomworm (i.e., a type of ransomware with the ability to self-propagate without user intervention or interaction). Its reach has been of epidemic proportions worldwide. The “success” of the WannaCry ransomware is based upon one tried and true fact: many individuals and organizations do not patch their systems in a timely manner.
The WannaCry ransomware has the capability to spread from machine-to-machine on the same network and—potentially--across the Internet. Specifically, the WannaCry ransomware has a worm or worm-like component which is essentially a “spreader” that reportedly takes advantage of the SMB, NetBIOS, and RDP protocols.
Please note: The ransomware is rapidly changing and there are multiple variants—at least 65 variants of the WannaCry ransomware have been confirmed at this time. (It is likely that this number will increase.)
As a result, a very thorough risk assessment, especially of internet-facing ports and services, is highly recommended. A thorough risk assessment of external-facing and internal-facing SMB ports is also highly recommended. Assistance is available from the United States Department of Homeland Security’s US Computer Emergency Readiness Team (US-CERT) National Cybersecurity Assessment & Technical Services (NCATS) program. To request an unauthenticated scan of your organization’s public IP address from the DHS NCATS program, please contact NCATS_INFO@hq.dhs.gov.
The WannaCry worm component exploits an SMB vulnerability disclosed (and patched) in MS17-010. Microsoft has also released out-of-band security updates for Windows Server 2003 Service Pack 2 x64, Windows Server 2003 Service Pack 2 x86, Windows XP Service Pack 2 x64, Windows XP Service Pack 3 x86, Windows XP Embedded Service Pack 3 x86, Windows 8 x86, and Windows 8 x64 (not addressed in MS17-010). Additionally, the WannaCry worm component reportedly uses NetBIOS and RDP to spread from host to host. Thus, additional mitigation steps are recommended, such as considering either closing or restricting these ports (i.e., SMB, NetBIOS, and RDP).
Please note: The following information is what is available at this present time. However, the WannaCry ransomware threat is constantly evolving. (It has been reported that the worm component of the WannaCry ransomware has been released in the wild, and thus, we expect to see many variants. What may work in one situation may not work in another.) Thus, this information is provided for your situational awareness based upon open source information to date.
Impacts on the Health Sector
Anecdotally, there have been reports by healthcare providers around the world (including the United States) of infections affecting their computers and embedded systems (including medical devices). There have also been reports of vishing calls from individuals alleging that they are from Microsoft, requesting access to organizations’ systems to apply the above-mentioned SMB patch(es). Finally, there have also been reports of the propagation of WannaCry ransomware through third party virtual private network (VPN) services.
Attack vectors and how victims are targeted
UPDATED: The WannaCry ransomware has been reported to propagate via Server Message Block (SMB) protocol. According to analyst reports, there are multiple variants of the WannaCry ransomware. Additionally, the WannaCry ransomware has two components: (1) a ransomware component and (2) a worm (or worm-like) component which enables it to spread laterally throughout an organization’s network without the need for human intervention.
The WannaCry ransomware has been quickly evolving. In summary, there are multiple variants of the WannaCry ransomware. The WannaCry ransomware includes a worm or a worm-like component and, thus, can spread without the need for human interaction. Some variants have a kill switch and others have no kill switch at all. Thus, the WannaCry ransomware is still a very serious international cyber threat due to the multiple variants of the ransomware.
Detection information – potential indicators of compromise
The following indicators have been confirmed by analysts. Also attached here is a copy of the recent FBI Flash bulletin (TLP: White) (which may be freely distributed via public and private channels).
Please note: The ransomware is rapidly changing and thus these potential indicators of compromise may change. Thus, the following potential indicators of compromise may be associated with WannaCry ransomware.
UPDATED: Filenames: @WanaDecryptor@.exe, !WannaDecryptor!.exe, wnry.exe, wcry.exe
File extensions of encrypted files on infected machines: .wncry, .wcry, .wnry, .wncrypt
Mitigation steps for the WannaCry ransomware include the following:
- According to Microsoft, the MS17-010 security update should be deployed. Microsoft also released out-of-band security updates for Windows Server 2003 Service Pack 2 x64, Windows Server 2003 Service Pack 2 x86, Windows XP Service Pack 2 x64, Windows XP Service Pack 3 x86, Windows XP Embedded Service Pack 3 x86, Windows 8 x86, and Windows 8 x64, accessible here. Essentially, apply all appropriate patches supplied by Microsoft to vulnerability systems (ideally, after the patches have been tested by your organization).
- According to the Multi-State Information Sharing and Analysis Center (MS-ISAC):
- Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after testing.
- Run all software as a non-privileged user.
- Do not visit untrusted websites or links.
- Apply the principle of least privilege to all systems and services.
- Educate your staff on good cyber hygiene and practice good cyber hygiene throughout your organization to mitigate this and other threats.
- Deploy defense-in-depth at your organization.
- First, be sure to keep your firmware, systems, operating systems, applications, and devices up-to-date.
- Second, properly configure your firewalls and decide which traffic to let into and let out of your network.
- Third, make sure your anti-virus software and definitions are up to date.
- Fourth, deploy endpoint protection software solutions or appliances.
- Special note: If a system may have infected with WannaCry ransomware, you may want to consider—if feasible--fully restoring from a most recent, clean (i.e., non-infected), and good backup (e.g., verified and validated). However, please also note: this will work so long as you are dealing with malware which does not persist after reboot, log-off, restart, etc.).
You may have a greater level of assurance in a system that has been fully restored to a last good state, as opposed to a system which just has been “cleansed” of the ransomware (or where the ransomware has just been quarantined).
- For more cyber hygiene tips, please visit the HIMSS privacy and security awareness initiatives page.
FDA's Medical Device FAQ based on "Daily Sector Call" feedback:
- Medical device manufacturers and health care facilities should take steps to ensure appropriate safeguards. https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
- Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.
- Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
- Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g). For additional FDA guidance, see https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
- Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. If you suspect that a cybersecurity event has impacted the performance of a medical device or has impacted a hospital network system, we encourage you to file a voluntary report (https://www.fda.gov/Safety/MedWatch/HowToReport/ucm2007306.htm).
- Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities).
What to do if you are the victim of ransomware or if you have cyber threat indicators to share
The following information is from the US Department of Health and Human Services.
- Work with vendors or IT support staff to investigate and remediate systems exhibiting network-scanning activity consistent with WannaCry.
- If possible, re-image potentially affected devices to mitigate risk that malware is on the system in the background.* (Author’s note: This will work so long as you are dealing with malware which does not persist after reboot, log-off, restart, etc.)
- Work with vendors to make sure both the distribution stage and the encryption stage of WannaCry are detected and blocked.
- If your organization is the victim of a ransomware attack, please contact law enforcement immediately.
Additionally, the US Department of Health and Human Services has provided the following guidance:
- Contact your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force immediately to report a ransomware event and request assistance.
- Report cyber incidents to the US-CERT and FBI's Internet Crime Complaint Center.
- For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov.
- If your healthcare facility experiences a suspected cyber-attack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1 (866) 300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.
- Microsoft Security Update Guide
- Technical Resources, Assistance Center, and Information Exchange (TRACIE) (ASPR/HHS)
- Last updated on June 13: Indicators Associated with WannaCry Ransomware (Update I)
- UPDATED: Patches That Fix the Vulnerability For MS17-010
- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
- UPDATED: SMB Security Best Practices
- UPDATED: Malware Initial Findings Report 10124171
- UPDATED: Malware Initial Findings Report 10124171 (STX format)