Published on 2017-05-15 14:54:38.

An unprecedented global cyber-attack was launched on Friday, May 12th, 2017: a strain of ransomware, known under various names including WannaCrypt, WannaDecrypt, or WannaCry, and spreading like a worm from machine to machine, has affected computers running Microsoft operating systems in over 150 countries. The attack is still ongoing. Ransomware is a type of malware that encrypts an infected machine’s data – thereby rendering it useless - and demands a ransom be paid in exchange for the decryption procedure.

itrust consulting has started working on the problem with its customers over the weekend of May 13th, 2017, to identify infections and clean our customers’ systems. So far, our assessment is that it is highly likely a National Security Agency exploit using a Microsoft SMBv1 vulnerability was leveraged through a social engineering attack. The payload dropped on a given system using the exploit is the ransomware itself. The particularity of this strain is its ability to infect interconnected machines through the SMBv1 vulnerability. The ransomware is otherwise unsophisticated.

The vulnerability was patched by Microsoft in March 2017, but the patch did not cover deprecated versions of Microsoft Windows. The name of the patch is MS17-010. Due to the scale of the attack, Microsoft has since created patches for these deprecated systems. The vulnerable operating systems are:

Microsoft customers that are running these systems are urged to patch them as soon as possible using the links provided by Microsoft, which can be found here, along with more information. Systems that will have received the patch in March 2017 and therefore remain unaffected by the SMBv1 vulnerability are Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, and Windows Server 2016. In addition, as of May 12th, 2017, Windows Defender detects the malware as Ransom:Win32/WannaCrypt. Please note that these security patches are only valid for this strain of ransomware. Many other types of ransomware exist. All usual recommendations to keep ransomware - or any other type of malware - from infecting your systems still apply, e.g. be wary of suspicious email attachments and links, and keep all system components up to date in order to always have, among other things, the latest security guards in place.

As the situation is still developing, we will update this advisory accordingly.

Malware.lu CERT