Woken up this morning to hear there has been a significant outbreak of ransomware known as Wannacry hitting windows machines which haven't applied the MS17-010 patch .
Ive copied the executive summary in the gist linked below as it perfectly contains the needs to know on this (credit to the rain-1 who stood this up).
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. (source: malwarebytes)
- Infections: NHS (uk), Telefonica (spain), FedEx (us), University of Waterloo (us), Russia interior ministry & Megafon (russia), Сбера bank (russia), Shaheen Airlines (india, claimed on twitter), Train station (germany), Neustadt station (germany)
- Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.
Im following these sources to help me follow this incident and ensure I have the right information in front of me to know our response is solid:
- Cisco's Talos threat intelligence team have an excellent write up here
- The following gist which contains updates as the outbreak and mitigations unfold
- Following twitter from good folk like @malwrhunterteam @MalwareTechBlog @Metlstorm and @riskybusiness
So its time to help support your friends and family ensure thier older windows machines are current with their patching and if your in tech, read up and share with our IT departments, SRE/ops folks to ensure patching is rolled out across your fleet of windows machines.