5/12/2017 might be another day of cyber-infamy based on malware as hospitals and critical infrastructure providers are locked out of their machines due to what appears to be a new variant of ransomware dubbed WannaCry spreading through corporate networks. Like the ransomware outbreaks in mid-2016 here in the US, NHS hospitals are experiencing patient care issues as a result of the malware, with some shutdown completely as of 11:37 AM Eastern time.
Early analysis indicates the malware spreads via SMB protocol, possibly using a vulnerability published by Microsoft on March 14th, per CCN CERT National Cryptologic Center. This same exploit mechanism appeared to be in use by ETERNAL BLUE, included as part of the Shadow Brokers dump. Patching and update information from Microsoft is located here. For the specific list of affected systems, along with CVE Number, specific MS patch details, and alternative mitigation techniques check here.
As we mentioned in our Top Seven Recommendations For Your Security Program In 2017, it is crucial for organizations to develop a Digital Extortion Decision Tree. This includes planning your response to digital extortion attempts in advance. This also means incorporating a ransomware exercise in your IR tabletops moving forward. The worst time to discover that you are unprepared for the emergency is during the emergency. As we mentioned in our Ransomware Protection Best Practices Research the need to bulletproof backup and disaster recovery capabilities are equally important as ransomware continues to offer an easy path to monetizing malware.
For more information on preparing for, and recovering from, ransomware events like this please check out research from my Forrester colleagues Chris Sherman, Josh Zelonis, Heidi Shey, Joseph Blankenship, and Stephanie Balaouras.