The ACSC is aware of a large-scale ransomware campaign impacting many organisations globally, including the UK's National Health Service. The campaign has various names including 'WannaCry', 'WanaCryt0r', 'WanaCrypt', 'WanaDecryptor', 'WanaCry' or 'Wana'.
- The ransomware leverages publicly-known vulnerabilities in Microsoft Windows, patched by Microsoft in March this year (Microsoft Security Bulletin MS17-010).
- Microsoft has released updates for Windows XP, Windows 8 and Windows Server 2003. Downloads are linked from Microsoft's article: Customer Guidance for WannaCrypt Attacks.
- Australian organisations are strongly recommended to apply these patches as soon as possible to prevent infection by this ransomware campaign. Users should also ensure that they have backed up their important data to an offline location.
- Organisations that apply the ASD Essential Eight mitigation strategies are not affected by this ransomware campaign.
- If Australian organisations are infected, they should seek assistance in the first instance from the Australian Cyber Security Centre via 1300 CYBER1. We encourage reporting cyber security incidents to enable the ACSC to alert and assist a broader range of organisations, and understand the scope and nature of cyber intrusions.
The 2016 ACSC Threat Report highlights the ongoing threat ransomware poses to Australian government, industry and individuals. Cybercriminals continue to use ransomware campaigns to extort money from victims by encrypting organisations or individuals’ data, or otherwise rendering their systems unusable. The ransomware offers to restore access to the victim’s data on payment of a ransom, usually in bitcoin. Once paid, cybercriminals often restore the victim’s data and systems; however, sometimes payment of the ransom does not result in successful system recovery.
This ransomware campaign has targeted multiple organisations internationally, including the UK National Health Service and Spanish telecommunications provider Telefónica. While the ACSC is not yet aware of any Australian victims, many Australian networks will be vulnerable to infection and the ACSC assess this campaign is highly likely to impact Australian government, industry and individuals.
Malware in this campaign leverages vulnerabilities in Microsoft Windows to spread infection to other hosts within an organisation’s corporate network. The cybercriminals are demanding an individual ransom per injection, causing significant impact on affected organisations. Microsoft released patches to mitigate these vulnerabilities in March 2017. Organisations that have not applied these patches may be vulnerable to this ransomware campaign.
Mitigation advice to avoid being affected
Organisations can minimise the risk of being infected by ransomware by taking the same precations necessary to guard against malicious software in general.
Ransomware is a well known and understood problem and there are effective mitigation strategies and advice available. Organisations can protect themselves from threats such as ransomware by following the Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents. Strategies include but are not limited to:
- patching operating systems and applications to the latest versions
- not exposing protocols such as SMB to untrusted networks including the Internet
- implementing application whitelisting to prevent execution of untrusted code.
In particular, this ransomware campaign leverages publicly-known vulnerabilities in Microsoft Windows, addressed in March by Microsoft in Microsoft Security Bulletin MS17-010.
Microsoft have now released advice regarding this ransomware threat and have back-ported the earlier security update to address the vulnerability for some out-of-support versions of Windows. Australian organisations are encouraged to apply Microsoft-provided patches that fix these vulnerabilities. The ACSC recommends these new patches be applied to all applicable Windows hosts as soon as possible.
While Microsoft's release of back-ported patches is a commendable proactive action, the ACSC considers organisations running Windows XP, Server 2003 and other unsupported operating systems to be exposed to extreme risk.
More information and advice is available on Microsoft’s website:
- Patches, including for Windows XP, Windows 8 and Windows Server 2003 - Microsoft Update Center
- Customer Guidance for WannaCrypt Attacks - Microsoft Security Response Center
- WannaCrypt Ransomware Worm Targets Out-of-Date Systems - Microsoft Malware Protection Center
Organisations and individuals can also limit the impact of ransomware by regularly backing up important data.
Mitigation advice for those affected
If affected, organisations should contact the Australian Cyber Security Centre on 1300 CYBER1 (1300 292 371) or visit the ACSC website to report the incident.
1300 CYBER1 should not be used for general enquiries or media interest.
All media enquiries should be directed to email@example.com.