JPCERT-AT-2017-0020
JPCERT/CC
2017-05-14(Initial)
2017-05-17(Update)
<<< JPCERT/CC Alert 2017-05-14 >>>
Alert regarding ransomware "WannaCrypt"
https://www.jpcert.or.jp/english/at/2017/at170020.html
I. Overview
Since around May 12, 2017, there have been reports around the globe
related to damages caused by malware called "WannaCrypt". JPCERT/CC
analyzed a sample of the malware and found that when infected, files
on the device are encrypted and a message in Japanese demanding a
payment in exchange for decrypting the files is displayed.
As of May 14, 2017, JPCERT/CC has confirmed information related to
"WannaCrypt" infections within Japan. It is recommended to be prepared
for future infection attempts and the spread of damages.
It has been confirmed that "WannaCrypt" exploits a vulnerability that
was addressed with the security update MS17-010. This vulnerability is
exploited for the purpose of spreading the infection through networks.
Microsoft Security Bulletin MS17-010 - Critical
Security Update for Microsoft Windows SMB Server (4013389)
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
In order to prevent infection by the malware and the spreading of the
malware after infection, it is recommended to update virus definitions
for anti-virus software, exercise caution when opening an email, in
particular its contents and any attachments as well as updating the OS
and any software to the latest available versions.
** Update: May 17, 2017 Update ***************************************
The whole picture of the infection route of "WannaCrypt" is not yet
confirmed. However, as an example of infection, JPCERT/CC has
confirmed a case where a portable PC that connects to the Internet via
mobile data connection was infected by "WannaCrypt" without being
noticed by the user.
JPCERT/CC analyzed the behavior of "WannaCrypt" and confirmed that
infected PCs scan Port 445/TCP towards external IP addresses or PCs
within the same network segment in order to find a device that still
carries the vulnerability.
If the infected PC is connected to an network, infection may spread to
other PCs and servers within the network in the organization. Please
take countermeasures such as applying the security update program
MS17-010 to prevent the exploitation of the vulnerability. If it is
difficult to apply the update, please consider terminating unnecessary
services or blocking unnecessary Ports.
In addition, JPCERT/CC's Internet threat monitoring system "TSUBAME"
has observed an increase in the number of scan packets to Port 445/TCP
for Japan since April 23, 2017. However, the relation with "WannaCrypt"
remains uncertain.
Please continue to prepare for infection and damage expansion.
[image: Transition of the number of scan packets to Port445/TCP from April through May, 2017]
**********************************************************************
II. Solution
As of May 14, 2017, JPCERT/CC has yet to confirm any information
related to the infection route of "WannaCrypt". However, ransomware is
typically distributed via e-mail or through a malicious site that a
victim is redirected when browsing the web. In order to reduce the
chances for infection and spreading of the ransomware, it is recommended
to update the OS and any software to the latest available versions and
virus definitions for anti-virus software. Since e-mails may be received
over the weekend, it is thought that infections may spread starting on
Monday as employees open and read e-mails when businesses open. Prior
to opening any e-mail attachments, it is recommended to scan the file
using anti-virus software with updated virus definitions.
In addition, "WannaCrypt" exploits a vulnerability (CVE-2017-0145) to
spread infection to other PCs or servers on the network so it is
strongly recommended to apply updates as soon as possible.
** Update: May 17, 2017 Update ***************************************
If it is difficult to apply updates immediately, it is strongly
recommended to terminate unnecessary services or to block related
Port (445/TCP).
**********************************************************************
JPCERT/CC
Microsoft Security Bulletin for March 2017 (including 9 critical patches)
https://www.jpcert.or.jp/english/at/2017/at170011.html
Microsoft has released security updates to address this vulnerability
on May 13, 2017 for the following OSes, whose support has ended;
Windows XP, Windows 8 and Windows Server 2003.
Microsoft Corporation
Microsoft Update Catalog (Japanese)
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
System administrators and users should consider the following in order
to prevent ransomware infection and for recovering encrypted files
after an infection:
- Update the OS and any installed software to the latest versions
- If a PC is infected with ransomware and files are encrypted, these
files are difficult to decrypt. So it is recommended to take
backups on a regular schedule. Also, please make sure to check
that these backups can be used for recovery.
- If infected with ransomware, it is possible that all files
accessible from the infected device have been encrypted.
Therefore, it is recommended to store backup data in storage
devices that are both physically and network disconnected.
Also, it is recommended to connect storage devices with
backup data only for recovery.
** Update: May 17, 2017 Update ***************************************
In addition, please manage the backup generations carefully.
Please do not overwrite the backup containing ransomware infected
files on the backup which is not infected.
**********************************************************************
III. References
US-CERT
Multiple Ransomware Infections Reported
https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported
US-CERT
Alert (TA17-132A) Indicators Associated With WannaCry Ransomware
https://www.us-cert.gov/ncas/alerts/TA17-132A
SANS Internet Storm Center
Massive wave of ransomware ongoing
https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
Microsoft Corporation
Customer Guidance for WannaCrypt attacks
https://blogs.technet.microsoft.com/jpsecurity/2017/05/14/ransomware-wannacrypt-customer-guidance/
JPCERT/CC
Alert regarding ransomware infections
https://www.jpcert.or.jp/english/at/2015/at150015.html
JPCERT/CC
Microsoft Security Bulletin for March 2017 (including 9 critical patches)
https://www.jpcert.or.jp/english/at/2017/at170011.html
Information-technology Promotion Agency (IPA)
[Alert] Beware of attacks attempting to infect with ransomware (Japanese)
https://www.ipa.go.jp/security/topics/alert280413.html
Information-technology Promotion Agency (IPA)
Threats and countermeasures for ransomware (Japanese)
https://www.ipa.go.jp/files/000055582.pdf
JPCERT/CC
JPCERT/CC participates "No More Ransom" to Combat Ransomware as a Supporting Partner
https://www.jpcert.or.jp/english/pub/2017/20170405-nomorepj.html
Japan Cybercrime Control Center (JC3)
Countermeasures against ransomware (Japanese)
https://www.jc3.or.jp/info/nmransom.html
** Update: May 17, 2017 Update ***************************************
Information-technology Promotion Agency (IPA)
Countermeasures for Microsoft product vulnerability leveraged for globally-spreading ransomware (Japanese)
https://www.ipa.go.jp/security/ciadr/vul/20170514-ransomware.html
Microsoft Corporation
[WannaCrypt] How to check the application status of MS 17-010 (WSUS) (Japanese)
https://blogs.technet.microsoft.com/jpwsus/2017/05/15/wannacrypt-ms17-010-wsus/
FBI
Ransomware Prevention and Response for CISOs
https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
National Police Agency
Observation on the access which is considered as an attack exploiting the attack tool "Eternalblue" (Japanese)
https://www.npa.go.jp/cyberpolice/important/2017/201705151.html
**********************************************************************
JPCERT/CC is in support of the activities of the global project,
"No More Ransom", which aims to reducing the damages caused by
ransomware. If you have any information regarding this alert, please
contact JPCERT/CC.
________
Revision History
2017-05-14 First edition
2017-05-17 Updated "I. Overview", "II. Solution" and "III. References"
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top