A widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. This exploit utilizes a vulnerability (CVE-2017-0144) in the Microsoft Server Message Block 1.0 (SMBv1) server to perform a remote code execution attack which leads to unwanted file encryption on the victim system.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.
This page will be updated as time goes on.
Immediate Patch Requirement communcations
From: Downs, Bruce <bruce_downs@ios.doi.gov>
Date: Mon, May 15, 2017 at 2:54 PM
Subject: !Ransomware Data Call and Actions
Due to the recent ransomeware (WannaCry) outbreak, DHS is requiring all Federal Agencies to deploy the following Microsoft security patch to all Windows systems by no later than May 17, 2017 at 5:00 PM ET.
Microsoft Security Bulletin MS17-010 – Critical
https://technet.microsoft.com/ library/security/MS17-010
Please deploy this patch to all of your Windows systems prior to 5:00 PM ET, May 17, 2017.DOI is required to report our completion status to DHS by the deadline above.
Please be prepared to discuss specific constraints and commitment timelines for completing patching of any remaining systems.
Thank you very much for your cooperation in this matter.
Bruce
From: “Exter, Paul” <peexter@usgs.gov>
Date: Mon, May 15, 2017 at 11:45 AM
Subject: Action Required: WannaCry Ransomware Attack via SMBv1
Information Technology Specialists,
As you are aware, there is an active ransomware campaign which has been identified on tens of thousands of computers around the world. This exploit utilizes a vulnerability (CVE-2017-0144) in the Microsoft Server Message Block 1.0 (SMBv1) server to perform a remote code execution attack which leads to unwanted file encryption on the victim system. Recent news agency reports indicate the activity seems to have stopped, but could start up again at any moment. All Windows Operating Systems that have not been patched with Microsoft Security Bulletin MS17-010 are vulnerable to this attack.
This attack type does exhibit worm behavior. It it designed to spread laterally by accessing IPC$ shares across connected networks. Additional information can be obtained from US-CERT Alert Notice TA17-132A.
Recent OEI notifications have communicated US-CERT guidance that SMBv1 should be disabled unless absolutely needed. If needed, then immediate patching is necessary. The March ePatching cycle addressed this vulnerability, yet there are still roughly 987 vulnerable USGS Windows systems connecting to USGS networks.
The good news is that there are currently no confirmed ransomware cases in USGS. However, OEI is expecting a data call from multiple entities this week.Windows systems that have not been patched with Microsoft Security Bulletin MS17-010 need to be investigated and remediated immediately. The preferred remediation method is disabling SMBv1.
A BigFix report showing Computers Needing MS17-010 – WannaCry has been created. In addition, there is a new query in the eVMS console called “WannaCry Ransomware/SMBv1 Vulnerabilities” which can be used to identify hosts with this issue. IT staff should review these reports, identify any systems within their boundary, and take immediate action.
There is a WannaCry specific patch baseline available in the USGS-Wide: Actions and Content area called USGS ePatching: MS17-010 Needed – WannaCry. This baseline can be used to target systems that are missing one or more relevant patches. When using this baseline, please target dynamically by property and use the all computers option. This will ensure that as systems check-in and evaluate the baseline, they will execute the action if applicable. Please note that Bigfix can now patch systems connected through the internet, so a VPN connection is not required.
If a suspected Ransomware infection is identified, please open a CSIRT incident ticket immediately.
Please disseminate this information in your office.Thank You,
Paul E. Exter
Chief Technology Officer, U. S. Geological Survey
Work: 443 498 5534 Cell: 410 375 0120
Further Info:
