Ransomware - WannaCry

Number: AL17-006
Date: 15 May 2017

Purpose

The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for a large scale ransomware campaign.

Assessment

CCIRC is aware of a large scale ransomware campaign known as “WCry”, “Wana”, “WCrypt”, “wannacrypt”, “WanaDecryptor” or “WanaCry” that has affected numerous organizations worldwide.  CCIRC continues to work with domestic and international partners to assess the impact to Canada and to provide mitigation guidance and advice.

Ransomware can have an overwhelming on individuals, businesses, critical infrastructure and government.  Not only can it lead to the loss of access to sensitive or proprietary information, but the disruption to regular operations, the financial loss and the potential harm to an organization’s reputation can be devastating.

The WannaCry ransomware campaign appears to be using the vulnerability addressed by Microsoft Security Bulletin MS17-010 to propagate through the network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network if they are unpatched.

CCIRC strongly discourages paying the ransom as it does not guarantee that your data will be decrypted. In addition, decrypting files does not mean the malware infection itself has been removed.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment. Furthermore, indicators of compromise, including a yara signature, and analysis are available from US-CERT (available in reference).

Advice specific to propagation via SMBv1:

General advice to mitigate common email infection vectors:

References:

Date modified: