Indicators Associated With WannaCry Ransomware (Update I)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01H Indicators Associated With WannaCry Ransomware that was published May 31, 2017, on the NCCIC/ICS-CERT web site.
ICS-CERT is referencing US-CERT alert TA17-132A Indicators Associated With WannaCry Ransomware to enhance the awareness of critical infrastructure asset owners/operators and to identify affected product vendors that have contacted ICS-CERT for help disseminating customer notifications/recommendations to mitigate the risk associated with the “WannaCry” ransomware.
In addition to the WannaCry ransomware, there is reporting of other malware exploiting the vulnerabilities in the Windows SMB server, identified in Microsoft Security Bulletin MS17-010. Some of these additional samples of malware identified in the reporting are UIWIX, Adylkuzz, and EternalRocks.
The ransomware UIWIX is reported to be executed in memory and terminates itself if it is able to determine that it is running in a virtual machine or sandbox, making it more challenging to detect and analyze. The Adylkuzz Trojan is malware that consumes resources of infected systems to create a botnet for cryptocurrency mining. EternalRocks is a network worm that spreads through seven exploits and does not have a malicious payload. There is also reporting that the EternalRocks campaign may have ended; however, information about EternalRocks is still useful, as the exploits utilized in this campaign could potentially be used in future campaigns.
The impacts of these additional malware have not been fully assessed; however, since they appear to be exploiting vulnerabilities in the Windows SMB server, the mitigation guidance remains the same. These additional threats further emphasize the need for the implementation of effective prevention and protection mechanisms, such as those provided in the US-CERT alert.
The following product vendors have reported that they support products that use Microsoft Windows and have proactively issued customer notifications with recommendations for users (ICS-CERT will update the list of vendors that have released customer notifications as additional information becomes available):
- Beckman Coulter (select region and country to view):
- Becton, Dickinson and Company (BD):
- Emerson Automation Solutions:
- GE – General Electric:
- Johnson Controls:
- Johnson & Johnson:
--------- Begin Update I Part 1 of 1 --------
--------- End Update I Part 1 of 1 ----------
- Rockwell Automation:
- Schneider Electric:
- Smiths Medical:
- Spacelabs Healthcare:
- Toshiba Corporation:
- Toshiba Medical Systems Corporation:
In an effort to support critical infrastructure asset owners/operators, ICS-CERT has published a What is WannaCry/WanaCrypt0r? Fact Sheet.
To assist healthcare providers with mitigation efforts, ICS-CERT offers the following information regarding the patch management of medical devices, which comes directly from the FDA Fact Sheet - FDA’s Role in Medical Device Cybersecurity:
- Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.
- The FDA recognizes that Healthcare Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.
The FDA has provided recommendations to protect healthcare systems in their Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication. The FDA recommends that healthcare providers consider taking the following steps:
- Restricting unauthorized access to the network and networked medical devices.
- Making certain appropriate antivirus software and firewalls are up-to-date.
- Monitoring network activity for unauthorized use.
- Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
- Developing and evaluating strategies to maintain critical functionality during adverse conditions.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT also provides a recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.