Ransomware has become the fastest growing malware threat, targeting everyone from home users to healthcare systems to corporate networks. Tracking analysis shows that there has been an average of more than 4000 ransomware attacks every day since January 1, 2016.
On May 12, 2017, FortiGuard Labs began tracking a new ransomware thread that spread rapidly throughout the day. It is a highly malicious strain of a self-replicating ransomware that has impacted such far-flung organisations as the Russian Interior Ministry, Chinese universities, Spanish telcos, and hospitals and clinics run by the British National Health Services. It is particularly notable for its polylingual ransom demands that support more than 24 languages.
This ransomware is referred to by a number of names including WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. It is spread through an alleged US National Security Agency exploit called ETERNALBLUE that was leaked online last month by the hacker group known as The Shadow Brokers. ETERNALBLUE exploits a vulnerability in the Microsoft Server Message Block 1.0 (SMBv1) protocol. All are encrypted using the RSA-2048 and AES-1024 algorithms and a private key (stored on remote servers controlled by cyber criminals) is required for decryption. To decrypt the files, victims are required to pay a ransom in BitCoin currency for the victim to unlock their files (hence the name 'ransomware').
Microsoft released a critical patch for these vulnerabilities in March in the Microsoft Security Bulletin MS17-010. Fortinet solutions also successfully block this attack in the following ways:
FortiGate IPS plugs the exploit
FortiSandbox detects the malicious behavious
Fortinet AV engine detects the malware along with variants
Fortinet Web filter identifies targeted sites and appropriately blocks or allows them
The FortiGate ISFW stops the spread of the malware
This malware exhibits a worm-like behavior due to an active probe for SMBv1 server port 445 on the local LAN searching for the presence of the Backdoor.Double.Pulsar. If the malware senses that a system has the Backdoor.Double.Pulsar installed, it will try to download and execute the payload using this method.
For this reason, Fortinet has recommended that organizations block port 445 from the internet, or further, use NGFW (Next-Gen Firewall) capabilities to block the SMB protocol itself from the internet.
On May 13, 2017, MalwareHunter accidentally discovered the kill-switch for this malware. It was a DNS check on a domain name that was unregistered at the time. Once registered, the malware perceived that the domain was alive and the infection was halted.
The malware downloads a TOR client and starts to communicate to C&C servers via TOR protocol. It is recommended that you block outbound TOR traffic. On FortiGate devices, this can be done using the AppControl signatures.
In November 2016, Botswana was listed among the global Top 10 for ransomware vulnerabilities. Botswana was one of 150 countries vulnerable to the WannaCry attack and the government has taken swift initiative to shut down its internet services and systems for a week (starting May 23, 2017) because 8 services on its platform were vulnerable to attack.
This vulnerability will hopefully raise awareness for Botswana's cyber security legislation and policies to be updated in order to deal with bad faith attacks on organization's networks.