It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…)
At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as a proactive measure. One thing that does seem clear is that systems that haven’t been patched against MS2017-010 are vulnerable to the ‘externalblue’ exploit from the ShadowBroker NSA leak unless they have security software that blocks that exploit.
Being in the UK, I’m especially interested in the effect on the NHS, though I’m not in a position to tell you much about it. Here are a couple of links:
Some sources link this with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf. Commentary by EMSISOFT. Commentary by The Register.
Kat Hall reports for The Register on an attack against North Dorset Council apparently involving 6,000 files compromised by ransomware. The council refused to pay the ransom and are quoted as saying:
“The ‘ransomware’ attack was quickly detected by our security systems and action was taken to minimise the impact on our systems. No customer data was compromised.”
G-Data’s Eddy Willems is quoted as saying that organizations are being targeted that are less likely to have up-to-date protection and therefore more likely to pay the ransom. ESET’s Mark James didn’t suggest specific targeting, but did observe that public sector organizations are vulnerable because of the sensitivity of the data they hold and the fact that they are likely to be hampered by budget constraints.
Having spent much of my life working for the National Health Service, I’m all too aware of those constraints, and have a great deal of sympathy for executives who have to walk the tightrope between the need for the best affordable security and the need to prioritize direct spending on patient care. Similar concerns apply in other public sector organizations, charities and so on. When it comes to ransomware, however, the risk it poses to client data and wellbeing does call for an effective security strategy that prioritizes data and system backups and data recovery. It sounds as if the Council in this case were properly prepared.
Actually, I don’t know when Mikko Hypponen’s own birthday is, but the F-Secure blog is six years old today (the first AV vendor onto the scene).
Makes me feel like a raw beginner. 😉 Though in fact, I was publishing alerts and advisories on an NHS (internal) web site in a blog-like format a year or two earlier, I think. This was before I joined the AV industry, of course (the NHS is the UK’s National Health Service). However, even the earliest F-Secure blogs (http://bit.ly/cOvLLL) look a lot more professional than those. In my first couple of years at the NHS, I had to generate an advisory in an approved format, generate a PDF, then pass it on to someone else to post it onto a web server. That, of course, was hardly real-time. If there was no-one around to do it or they were really busy, it might take days or even a week or two. Which was a bit of a problem at a time when fastburning massmailers and virus hoaxes could come out of nowhere and pass through the mail systems like wildfire.
In my previous job, I used to generate text files that people could access via a shell script calling lynx from the Unix command line, accessed from PCs and Macs using telnet or kermit for terminal emulation. Happily, technology has moved on.
Sandbox? We used to dream of living in a sandbox.
David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence