Wed, May 17, 2017

Global Ransomware Attack

The unprecedented global ransomware cyber-attack on May 12, 2017, dubbed by experts as Wanna Cry, Wanna Cryptor or Wanna Decryptor, exploits vulnerability in Microsoft Windows operating system to invisibly move from computer to computer. Unlike many other forms of malware, it can spread on its own and it doesn’t need humans, for example, to click on a fake email.

It is less important where the attack was perpetrated or the code for it originally developed as companies must first see they are not the subject of the attack. This may be the case if you didn’t get the operating system patch MS17-010 released six weeks ago.

The media and experts have quickly confirmed that those corporations who haven’t applied this software update must do so immediately to avoid being the subject of this ransomware attack. If the MS17-010 patch cannot be applied, an alternative is to immediately disable the SMB V1 service.

Your IT vendor or in-house IT should confirm your status of protection from this malware on request. The moral of this ransomware attack story remains: stay on currently supported operating systems, and patch ASAP. In this case Microsoft even released out of band patches for older no-longer-supported operating systems like XP.

Duff & Phelps, consistently advises its clients on implementing appropriate internal controls to identify, mitigate and prevent cyber-breaches, including the following:

  • Patching Windows
  • Disabling SMB1

  • Adding firewall rules to block the affected ports on Internet-facing systems

  • Testing most recent backups (which should be offline, not connected)

Prevention is important, but more important is the ability to recover from such a ransomware attack without paying the ransom or risking significant damage to the business. Companies who think that the replication of files in the same or to another location for business continuity protects them would be quite wrong, since such attacks can proceed across internet protocol (IP) connections. Maintaining network offline backups on disk or other media is the only complete assurance you would have for recovery. Duff & Phelps has assisted many organizations in implementing such backup strategies as part of standard cyber security reviews. Please find below technical details on the attack published to-date:


Wanna Cry | Wanna Decryptor - Ransomware Worm

  • Virus Name: Wanna Crypt, Wanna Cry, WanaCryptor, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.

  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.

  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)

  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sink-holed, stopping the spread of the worm.

Duff & Phelps supports clients globally in identifying, managing and preparing for cyber-breaches. Learn more about our cybersecurity services. 

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.