US-CERT- TA17-132A: Indicators Associated With WannaCry Ransomware

[Netwörkheäd]

TA17-132A: Indicators Associated With WannaCry Ransomware

[html]Original release date: May 12, 2017 | Last revised: May 19, 2017

         

Systems Affected

         

Microsoft Windows operating systems

         
         

Overview

         

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in over 150 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.

The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.

         
         

Description

         

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598">Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017.