Full Report
The “WannaCry” outbreak has being reported on May 12 2017 by many independent sources all over the World. Based on KL ICS CERT live reports we decided to warn industrial organizations that they might indirectly become a victims of this widespread attack.
Analysis Summary
# Incident Report: WannaCry Global Ransomware Outbreak (May 2017)
## Executive Summary
On May 12, 2017, a massive, worldwide ransomware outbreak known as WannaCry was reported. The attack leveraged the "EternalBlue" exploit targeting a critical vulnerability in the Windows SMBv2 protocol, leading to widespread infection across commercial and public sectors globally. Kaspersky ICS CERT issued an alert warning that industrial organizations, while not the primary target, were at risk of indirect compromise due to the attack's rapid propagation.
## Incident Details
- Discovery Date: May 12, 2017
- Incident Date: Onset around May 12, 2017 (Exploit details known since April 14, 2017)
- Affected Organization: Global (Many independent sources reported impact across the world)
- Sector: Global (Focus of this alert: Potential indirect impact on Industrial Control Systems/Organizations)
- Geography: Worldwide
## Timeline of Events
### Initial Access
- Date/Time: Globally reported starting May 12, 2017.
- Vector: Exploitation of the Microsoft SMBv2 software vulnerability (MS17-010).
- Details: The exploit allowed for remote code execution on vulnerable systems. The exploit code was publicly available since April 14, 2017.
### Lateral Movement
- Vector: Not explicitly detailed in the alert, but implied delivery via the SMBv2 exploit which facilitated remote code execution and likely established the ransomware payload across networks.
### Data Exfiltration/Impact
- Impact: Ransomware encryption, demanding payment (classic ransomware impact). The alert specifically warns industrial organizations about the risk of indirect operational disruption.
### Detection & Response
- Detection: Independently reported by sources worldwide starting the morning of May 12, 2017. Detected by Kaspersky solutions using Intrusion Detection mechanisms.
- Response Actions: Kaspersky ICS CERT issued an advisory to industrial organizations detailing immediate mitigation steps, including patching and hardening.
## Attack Methodology
*Note: The source material focuses heavily on the exploit used for initial infection, not the TTPs of the full Kill Chain post-infection.*
- Initial Access: Remote Code Execution via SMBv2 vulnerability (MS17-010 / EternalBlue).
- Persistence: (Not detailed in source)
- Privilege Escalation: (Implied necessity for ransomware deployment, but not detailed)
- Defense Evasion: (Not detailed in source)
- Credential Access: (Not detailed in source)
- Discovery: (Not detailed in source)
- Lateral Movement: Exploitation of vulnerable external/internal systems via the SMB vulnerability.
- Collection: (Not detailed in source)
- Exfiltration: (Not detailed in source—typical ransomware encrypts rather than exfiltrates)
- Impact: Data encryption via ransomware payload.
## Impact Assessment
- Financial: (Not detailed in source)
- Data Breach: Data encrypted by ransomware.
- Operational: High risk of operational disruption, especially for organizations using Windows systems that had not applied patches, including potential indirect impact on ICS environments.
- Reputational: Global incident generating high media attention.
## Indicators of Compromise
- File Indicators (Sample Hashes):
- 4fef5e34143e646dbf9907c4374276f5
- 5bef35496fcbdbe841c82f4d1ab8b7c2
- 775a0631fb8229b2aa3d7621427085ad
- 7bf2b57f2a205768755c07f238fb32cc
- 7f7ccaa16fb15eb1c7399d422f8363e8
- 8495400f199ac77853c53b5a3f278f3e
- 84c82835a5d21bbcf75a61706d8ab549
- 86721e64ffbd69aa6944b9672bcabb6d
- 8dd63adb68ef053e044a5a2f46e0d2cd
- b0ad5902366f860f85b892867e5b1e87
- d6114ba5f10ad67a4131ab72531f02da
- db349b97c37d22f5ea1d1841e3c89eb4
- e372d07207b4da75b3434584cd9f3450
- f529f4556a5126bba499c26d6789224
- Behavioral Indicators (Detection Names):
- Trojan-Ransom.Win32.Gen.djd
- Trojan-Ransom.Win32.Scatter.tr
- Trojan-Ransom.Win32.Wanna.b, c, d, f
- Trojan-Ransom.Win32.Zapchast.i
- PDM:Trojan.Win32.Generic
- Network Indicators: (Not provided in defanged format)
## Response Actions
The response advice issued by KL ICS CERT (targeted at industrial organizations):
- Containment: Immediately install the official Microsoft patch (MS17-010) to close the affected SMB Server vulnerability.
- Eradication: Download and install the latest antivirus product and signature updates. Enable advanced features like Kaspersky System Watcher, Application Startup Control, or Anti Cryptor if using Kaspersky products.
- Recovery: Scan all systems with antivirus software. In case of detection, force a reboot of affected systems. Ensure sensitive data backups are available.
## Lessons Learned
- Patch Management is Critical: The attack leveraged a flaw for which a patch (MS17-010) had been available since March 14, 2017, highlighting the vulnerability of unpatched systems, even those outside the primary enterprise network (like those critical to ICS).
- Supply Chain/Indirect Risk: Critical infrastructure and industrial organizations must monitor widespread attacks, even if the malware is not specifically designed to target them, due to general vulnerability exposure.
- Defense-in-Depth: Relying on endpoint protection alone is insufficient; network-layer detection mechanisms (Intrusion Detection) are vital pathways for stopping lateral spread or initial compromise attempts.
## Recommendations
- Immediately apply the Microsoft patch MS17-010 across all enterprise and potentially connected systems, especially those running older Windows OS versions.
- Implement comprehensive anti-malware solutions with active behavioral monitoring and advanced protection features (e.g., Anti-Ransomware modules).
- Verify and regularly test offline, sensitive data backup solutions to ensure rapid recovery from encryption events.
- Strengthen network segmentation to prevent widespread internal lateral movement, even if an initial foothold is gained.