U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.

Alert (ICS-ALERT-17-135-01D)

Indicators Associated With WannaCry Ransomware (Update D)

Original release date: May 15, 2017 | Last revised: May 19, 2017

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



SUMMARY

This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01C Indicators Associated With WannaCry Ransomware that was published May 18, 2017, on the NCCIC/ICS-CERT web site.

NCCIC/ICS-CERT is referencing US-CERT alert TA17-132A Indicators Associated With WannaCry Ransomware to enhance the awareness of critical infrastructure asset owners/operators and to identify affected product vendors that have contacted ICS-CERT for help disseminating customer notifications/recommendations to mitigate the risk associated with the “WannaCry” ransomware.

The following product vendors have reported that they support products that use Microsoft Windows and have proactively issued customer notifications with recommendations for users (ICS-CERT will update the list of vendors that have released customer notifications as additional information becomes available):

  • Rockwell Automation:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1047348

  • Becton, Dickinson and Company (BD):

http://www.bd.com/aboutbd/productsecurity/wannacry-ransomware.aspx

(Updated product information)

  • Schneider Electric:

http://www.schneider-electric.com/en/download/document/SEVD-2017-135-01/

  • ABB:

http://search.abb.com/library/Download.aspx?DocumentID=9AKK106930A9737&Action=Launch

  • Siemens:

--------- Begin Update D Part 1 of 2 --------

https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-774661.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-740012.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-709509.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-023589.pdf

--------- End Update D Part 1 of 2 ----------

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-354910.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-832636.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-286693.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-408571.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-492736.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-966341.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-161640.pdf

  • GE – General Electric:

https://digitalsupport.ge.com/communities/en_US/Article/GE-Security-Bulletin-Regarding-WannaCry

  • Philips:

http://www.usa.philips.com/healthcare/about/customer-support/product-security

  • Smiths Medical:

https://www.smiths-medical.com/company-information/news-and-events/news/2017/may/17/wannacry-malware-infection-and-outbreak-statement

  • Johnson & Johnson:

http://www.productsecurity.jnj.com/

  • Medtronic:

http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/wannacry-publicstatement-5-17-17.pdf

--------- Begin Update D Part 2 of 2 --------

  • Tridium:

https://www.tridium.com/~/media/tridium/technical bulletins/2017/ransomware wannacry cyberattack update.ashx

  • Emerson Automation Solutions:

http://www.emerson.com/documents/automation/584888.pdf

--------- End Update D Part 2 of 2 ----------

In an effort to support critical infrastructure asset owners/operators, ICS-CERT has published a What is WannaCry/WanaCrypt0r? Fact Sheet.

To assist healthcare providers with mitigation efforts, ICS-CERT offers the following information regarding the patch management of medical devices, which comes directly from the FDA Fact Sheet - FDA’s Role in Medical Device Cybersecurity:

  • Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.
  • The FDA recognizes that Healthcare Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.

The FDA has provided recommendations to protect healthcare systems in their Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication. The FDA recommends that healthcare providers consider taking the following steps:

  • Restricting unauthorized access to the network and networked medical devices.
  • Making certain appropriate antivirus software and firewalls are up-to-date.
  • Monitoring network activity for unauthorized use.
  • Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • Developing and evaluating strategies to maintain critical functionality during adverse conditions.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.


Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top