[AllUsers-ISR] ATENÇÃO: WannaCry Ransomware

Sat May 13 18:31:27 WEST 2017

Boa tarde,

Na sequência dos ataques informáticos de ontem, recomenda-se a leitura do
e-mail abaixo, do qual se extraio muito concretamente para os utilizadores
finais as seguintes recomendações:

1 – Examine bem os emails que recebe. Tenha muito cuidado com mensagens de
origens desconhecidas. Na dúvida, contacte diretamente com o suposto
remetente, para confirmar se ele enviou efectivamente a mensagem.

2 – Evite clicar em links não verificados ou com formato estranho, uma vez
que estes podem levar ao download de um vírus ransomware.

3 – Faça backup regular dos seus ficheiros importantes. Apesar da prevenção
ser sempre o melhor remédio, ter um backup dos ficheiros mais importantes,
diminui os potenciais danos de um ataque de ransomware. Embora ficar
impedido de usar o seu próprio sistema seja sempre uma coisa má, será menos
mau se conseguir recuperar seus ficheiros importantes. O ideal será
utilizar a regra de backup "3-2-1": três cópias dos seus dados em dois
sistemas diferentes e uma dessas cópias num local separado.

4 – Atualize o seu software. A atualização para a versão mais recente pode
fornecer uma camada adicional de proteção contra ameaças online, uma vez
que muitos tipos de ransomware são activados através da exploração de
vulnerabilidades em versões não actuais de software.

Bom fim-de-semana,
Francisco Maia

---------- Forwarded message ---------
From: US-CERT <US-CERT at ncas.us-cert.gov>
Date: Sat, May 13, 2017 at 4:22 PM
Subject: [PossibleSpam] TA17-132A: Indicators Associated With WannaCry
Ransomware
To: <admin at isr.uc.pt>

[image: U.S. Department of Homeland Security US-CERT]

National Cyber Awareness System:

TA17-132A: Indicators Associated With WannaCry Ransomware
<https://www.us-cert.gov/ncas/alerts/TA17-132A>
05/12/2017 09:36 PM EDT

Original release date: May 12, 2017 | Last revised: May 13, 2017
Systems Affected

Microsoft Windows operating systems
Overview

According to numerous open-source reports, a widespread ransomware campaign
is affecting various organizations with reports of tens of thousands of
infections in as many as 74 countries, including the United States, United
Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in
as many as 27 different languages.

The latest version of this ransomware variant, known as WannaCry, WCry, or
Wanna Decryptor, was discovered the morning of May 12, 2017, by an
independent security researcher and has spread rapidly over several hours,
with initial reports beginning around 4:00 AM EDT, May 12, 2017.
Open-source reporting indicates a requested ransom of .1781 bitcoins,
roughly $300 U.S.

This Alert is the result of efforts between the Department of Homeland
Security (DHS) National Cybersecurity and Communications Integration Center
(NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known
cyber threats. DHS and the FBI continue to pursue related information of
threats to federal, state, and local government systems and as such,
further releases of technical information may be forthcoming.
Description

Initial reports indicate the hacker or hacking group behind the WannaCry
campaign is gaining access to enterprise servers either through Remote
Desktop Protocol (RDP) compromise or through the exploitation of a critical
Windows SMB vulnerability. Microsoft released a security update for the
MS17-010 <http://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
vulnerability on March 14, 2017. According to open sources, one possible
infection vector is via phishing emails.
Technical Details *(...)*

*Initial Analysis*

The WannaCry ransomware received and analyzed by US-CERT is a loader that
contains an AES-encrypted DLL. During runtime, the loader writes a file to
disk named “t.wry”. The malware then uses an embedded 128-bit key to
decrypt this file. This DLL, which is then loaded into the parent process,
is the actual Wanna Cry Ransomware responsible for encrypting the user’s
files. Using this cryptographic loading method, the WannaCry DLL is never
directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s
system and encrypts the user’s files with 128-bit AES. A random key is
generated for the encryption of each file.

The malware also attempts to access the IPC$ shares and SMB resources the
victim system has access to. This access permits the malware to spread
itself laterally on a compromised network. However, the malware never
attempts to attain a password from the victim’s account in order to access
the IPC$ share.

This malware is designed  to spread laterally on a network by gaining
unauthorized access to the IPC$ share on network resources on the network
on which it is operating.
Impact

Ransomware not only targets home users; businesses can also become infected
with ransomware, leading to negative consequences, including

   - temporary or permanent loss of sensitive or proprietary information,
   - disruption to regular operations,
   - financial losses incurred to restore systems and files, and
   - potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released;
it only guarantees that the malicious actors receive the victim’s money,
and in some cases, their banking information. In addition, decrypting files
does not mean the malware infection itself has been removed.
Solution

*Recommended Steps for Prevention *

   - Apply the Microsoft patch for the MS17-010 SMB vulnerability dated
   March 14, 2017.
   - Enable strong spam filters to prevent phishing e-mails from reaching
   the end users and authenticate in-bound e-mail using technologies like
   Sender Policy Framework (SPF), Domain Message Authentication Reporting and
   Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent
   e-mail spoofing.
   - Scan all incoming and outgoing e-mails to detect threats and filter
   executable files from reaching the end users.
   - Ensure anti-virus and anti-malware solutions are set to automatically
   conduct regular scans.
   - Manage the use of privileged accounts. Implement the principle of
   least privilege. No users should be assigned administrative access unless
   absolutely needed. Those with a need for administrator accounts should only
   use them when necessary.
   - Configure access controls including file, directory, and network share
   permissions with least privilege in mind. If a user only needs to read
   specific files, they should not have write access to those files,
   directories, or shares.
   - Disable macro scripts from Microsoft Office files transmitted via
   e-mail. Consider using Office Viewer software to open Microsoft Office
   files transmitted via e-mail instead of full Office suite applications.
   - Develop, institute and practice employee education programs for
   identifying scams, malicious links, and attempted social engineering.

   - Have regular penetration tests run against the network. No less than
   once a year. Ideally, as often as possible/practical.
   - Test your backups to ensure they work correctly upon use.

*Recommended Steps for Remediation*

   - Contact law enforcement. We strongly encourage you to contact a local
   FBI field office upon discovery to report an intrusion and request
   assistance. Maintain and provide relevant logs.
   - Implement your security incident response and business continuity
   plan. Ideally, organizations should ensure they have appropriate backups so
   their response is simply to restore the data from a known clean backup.

*Defending Against Ransomware Generally*

Precautionary measures to mitigate ransomware threats include:

   - Ensure anti-virus software is up-to-date.
   - Implement a data back-up and recovery plan to maintain copies of
   sensitive or proprietary data in a separate and secure location. Backup
   copies of sensitive data should not be readily accessible from local
   networks.
   - Scrutinize links contained in e-mails, and do not open attachments
   included in unsolicited e-mails.
   - Only download software – especially free software – from sites you
   know and trust.
   - Enable automated patches for your operating system and Web browser.

*Report Notice*

DHS and FBI encourages recipients who identify the use of tool(s) or
techniques discussed in this document to report information to DHS or law
enforcement immediately. We encourage you to contact DHS’s National
Cybersecurity and Communications Integration Center (NCCIC) (
NCCICcustomerservice at hq.dhs.gov
<https://www.us-cert.govmailto:NCCICCustomerService@hq.dhs.gov> or
888-282-0870 <(888)%20282-0870>), or the FBI through a local field office
or the FBI’s Cyber Division (CyWatch at ic.fbi.gov
<https://www.us-cert.govmailto:CyWatch@ic.fbi.gov>or 855-292-3937
<(855)%20292-3937>) to report an intrusion and to request incident response
resources or technical assistance.
References

   - Malwarebytes LABS: "WanaCrypt0r ransomware hits it big just before the
   weekend
   - Malwarebytes LABS: "The worm that spreads WanaCrypt0r"
   - Microsoft: "Microsoft Security Bulletin MS17-010"
   - Forbes: "An NSA Cyber Weapon Might Be Behind A Massive Global
   Ransomware Outbreak"
   - Reuters: "Factbox: Don't click - What is the 'ransomware' WannaCry
   worm?"
   - GitHubGist: "WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered
   Ransomware Worm"

Revision History

   - May 12, 2017: Initial post

------------------------------

This product is provided subject to this Notification
<http://www.us-cert.gov/privacy/notification> and this Privacy & Use
<http://www.us-cert.gov/privacy/> policy.
------------------------------
A copy of this publication is available at www.us-cert.gov. If you need
help or have questions, please send an email to info at us-cert.gov. Do not
reply to this message since this email was sent from a notification-only
address that is not monitored. To ensure you receive future US-CERT
products, please add US-CERT at ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
<http://www.us-cert.gov/security-publications> | Alerts and Tips
<http://www.us-cert.gov/ncas> | Related Resources
<http://www.us-cert.gov/related-resources>
STAY CONNECTED:
[image: Sign up for email updates]
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>

SUBSCRIBER SERVICES:
Manage Preferences
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
  |  Unsubscribe
<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.9df4762aee267c78e0e2fae30aebb38d&destination=admin%40isr.uc.pt>
  |  Help <https://subscriberhelp.govdelivery.com/>
------------------------------
This email was sent to admin at isr.uc.pt using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane
SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 [image: Powered by
GovDelivery] <http://www.govdelivery.com/portals/powered-by>
-- 

Cumprimentos,
Francisco Maia
http://www.streamline.pt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://licserver.isr.uc.pt/pipermail/allusers/attachments/20170513/8e5946fd/attachment-0001.html>