Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on May 15, 2017 08:30 UTC by GovCERT.ch (permalink) Last updated on May 15, 2017 08:46 UTC
On Friday, May 12th 2017, a ransomware called “WannaCry” hit the cyber space. Among the victims are hospitals in UK, the national telecom provider in Spain and U.S delivery service FedEx. But WannaCry did not only hit the internet, the ransomware was also very present in newspapers worldwide. It also kept us and our partners from abroad very busy during the last weekend, analyzing the malware, reevaluating the current situation in Switzerland and world-wide, communicating with National Critical Infrastructure, and talking to the press.
While we analyzed the threat as well, there are already many good papers on WannaCry. For this reason we do for once not focus on the exact technical implementation, but try to give a comprehensive overview of this threat and the impact WannaCry has, with a focus on the situation in Switzerland.
WannaCry (also known as WannaCrypt or Wana Decrypt0r) is a so-called ransomware that encrypts files on the victims computer and demands a certain amount of money in order to release (decrypt) the encrypted files again (blackmailing). But Ransomware is not a new threat: Almost a year ago, MELANI - together with other governmental organizations, partners from the industry, police and consumer protection organizations - held a national Ransomware Awareness Day.
While Ransomware is usually being spread by miscreants through Drive-By exploits (compromised websites that try to infect the visitor’s machine with malware) or spam emails, WannaCry is being spread by a worm, exploiting a known remote code execution vulnerability in the Windows operating system. By taking advantage of this worm functionality, WannaCry is able to propagate and spread itself, infecting other computers connected to a network automatically without the attacker’s or victim’s active interaction.
WannaCry comes with a separate software component that is able to spread itself through a known remote code execution (RCE) vulnerability in the SMB protocol called “EternalBlue”. RCE means that it is possible to exploit the vulnerability from remote without having access to the victim’s machine. By this, WannaCry was able to infect at least 200’000 computers world-wide (and still counting). Whether the initial attack vector has been an email or not is still discussed intensely.
The SMB protocol is used by computers running the Windows operating system to communicate with each other. The EternalBlue exploit was released by a hacking group called “Shadow Brokers” in April 2017, who claims that the exploit has been developed by U.S. National Security Agency (NSA).
The vulnerability is present in all versions of Windows (XP, Vista, Windows 7, Windows 8, Windows 10). In March 2017, Microsoft released a security update (MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) that fixed the EternalBlue vulnerability in SMB.
Although Microsoft released a patch for the said vulnerability two months ago, there are still unpatched systems out there. While your PC at home has - hopefully - installed the patch automatically, the situation in corporate networks is a bit different. Corporate networks are complex and systems rely on each other. Sometimes, it is simply not possible to patch a system as this would come with the need of rebooting the system, and some systems simply can’t be rebooted. On the other hand it is said that many organizations that have been hit hard still used Windows XP. Microsoft put Windows XP End-of-Life a long time, and organizations that were still being using Windows XP had been told many times to update to a newer version of the Windows Operating System..
Even though WannaCry has been hitting some organizations very hard and showed once more the vulnerability of a modern society, the attention it got is too high compared to the actual potential and impact. It used a vulnerability that has been known for several months. The attackers made mistakes (“kill switch”) and were seemingly unable to cope with the countermeasures of the security community. An infection count of 200’000 is not so high - a traditional malspam run may have a much larger impact and so have had other worms (e.g. "Code Red") in the past. We do not want to minimize this threat, especially as hospitals have been among the victims. However it is important to keep the relations and not forget that the Internet is full of vulnerable and infected devices. Criminals do their misdeeds every day and the struggle for a safe and secure Internet must be fought every day. Every participant has its own responsibility by keeping the systems up-to-date.
Starting Saturday, May 13th 2017, we are notifying Internet Services Providers (ISPs) in Switzerland about WannaCry infections. Should you receive such a notification from your ISP, we strongly recommend you to backup your files and do a full system reinstall and patch the system before connecting it to the network again. Please make also sure to keep your backup devices (harddisks, NAS, …) offline after the backup has made, because WannaCry can also attack your backup otherwise.
So far, we are aware of 183 potential victims in Switzerland (State on Sunday Evening). Those have been either notified by us directly or the ISP.
However, the potential impact of WannaCry in Switzerland is much bigger: Every day, we record more than 5’000 systems in Switzerland that are directly connected to the internet over the SMB protocol and that are potentially vulnerable for such threats.
The easiest way to protect yourself from getting a victim of WannaCry is to install the latest windows patches. In general, we strongly recommend you to always keep your system up to date, including 3rd party software (such as Adobe Flash, Oracle Java, Firefox, etc). For end-user systems or KMUs with little IT know-how, we recommend installing patches in an automated way. For larger organizations, we recommend defining a patch process that is able to deploy patches fast. It makes sense to have a normal patch cycle with more quality assurance and to have an emergency patch cycle that can be triggered in case of emergency. The latter should allow an organization to distribute patches within a few hours.
Back to top
