The ‘Could Have Been Worse’ WannaCry Has Arrived

Reports are coming in from around the globe about a new ransomware that is spreading quickly. Maersk, and Ukraine’s National Bank have both warned of cyber attacks.  But it appears this new dog is using some old tricks. From what we know right now, this attack appears to be leveraging the same EternalBlue exploits that WannaCry leveraged to obtain its ability to spread within organizations and impact more endpoints with encrypted files and demands of Bitcoin ransom. Initial vector hasn’t been confirmed yet, but it appears that it enters organizations via phishing emails. So as always, be very careful when opening emails and attachments from sources you don’t recognize.

We currently are  aware that this ransomware at least is using the same attack vector that WannaCry leveraged and perhaps others also. For EternalBlue Microsoft did provide a patch back in March 2017 with MS17-010.  Windows Security updates are now cumulative, so as always, we recommend installing the latest Windows Security Patches to protect your device and your data.  Microsoft has even taken the extreme measure and released a security patch for Windows XP and Windows Server 2003 to close this vulnerability.

Currently unconfirmed information points indicate that this attack also spreads via WMIC and PSEXEC, so fully patched systems may also be affected via these vectors.

There are a lot of rumors and half-information circulating right now.  But as details get confirmed, we’ll keep this page up-to date.  Keep checking back for the latest information.

Update #1  — Tuesday, June 27, 3:35pm CT —

It appears that initial vector for the ransomware is via a software update of a Ukrainian tax software, which spread Petya/NotPetya laterally within companies that are running the affected software and had run the auto-update of the software.

Given the current details, it appears that other than the EternalBlue exploit, which is just one of a few ways for the malware to propagate, there are no other vulnerabilities involved. Organizations should focus on ensuring that MS17-010 is rolled out, and that internal security policies adhere to security best practices.