A massive ransomware campaign appears to have already infected a number of organizations around the world. There have been reports of infections in the UK, US, China, Russia, Spain, Italy, Vietnam, and Taiwan and at least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware. It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly,
but there are indications the malware may be spreading to vulerable systems through a security hole in Windows that was recently patched by Microsoft.
The ransomware's name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, and most commonly just called Wanna Decrypt0r. First appearing in March, activity from this ransomware family was almost inexistent prior to today's sudden explosion when the number of victims skyrocketed in a few hours. What was clear about this ransomware was that Wana Decrypt0r was extremely virulent. An alert published by Spain’s national computer emergency response team (CCN-CERT) suggested that the reason for the rapid spread of Wana Decrypt0r is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March. According to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another.
The exploit is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a webpage or a Dropbox link. Phishing emails containing Word or PDF documents disguised as an invoice or links to a Dropbox document are especially common. Sometimes the payload can occur simply by visiting a website containing a malicious program. Even well-patched operating systems cannot help users who are tricked into deliberately running the software by opening an attachment or clicking a link.
True North Networks maintains Windows patching for managed clients and applies Microsoft patches according to your scheduled patching window on a monthly basis. Please be extra cautious with emails that contain hyperlinks, attachments, or anything that looks suspicious or out of the ordinary. Please share this email with all employees in the office.