Indicators associated with the WannaCry ransomware released to raise awareness of the ICS community and to identify affected ICS and medical device vendors that have contacted ICS-CERT to report their vendor-issued recommendations to mitigate the risk associated with the WannaCry ransomware, according to a report with ICS-CERT.
WannaCry ransomware hit over 200,000 computers, from the manufacturing to medical industries, in at least 174 countries starting Friday and through the beginning of this week. The malicious code relied on victims opening a zip file emailed to them and from there the ransomware package used a patched flaw in the Microsoft operating system software to proliferate. Microsoft did release the patch for the vulnerability in March, but like most patches – especially in the manufacturing automation sector – patching is infrequent, or it takes time to validate, or does not happen at all.
In addition to the WannaCry ransomware, there is other malware exploiting the vulnerabilities in the Windows SMB server, identified in Microsoft Security Bulletin MS17-010. Some of these additional samples of malware identified in the reporting are UIWIX, Adylkuzz, and EternalRocks.
The ransomware UIWIX is reported to be executed in memory and terminates itself if it is able to determine that it is running in a virtual machine or sandbox, making it more challenging to detect and analyze. The Adylkuzz Trojan is malware that consumes resources of infected systems to create a botnet for cryptocurrency mining. EternalRocks is a network worm that spreads through seven exploits and does not have a malicious payload. There is also reporting the EternalRocks campaign may have ended; however, information about EternalRocks is still useful, as the exploits utilized in this campaign could potentially be used in future campaigns.
The impacts of these additional malware have not been fully assessed; however, since they appear to be exploiting vulnerabilities in the Windows SMB server, the mitigation guidance remains the same. These additional threats further emphasize the need for the implementation of effective prevention and protection mechanisms.
The following ICS and medical device vendors reported they support products that use Microsoft Windows and have proactively issued customer notifications with recommendations for users:
Siemens (multiple links)
Johnson & Johnson (multitple links)
Johnson & Johnson
In an effort to support critical infrastructure asset owners/operators, ICS-CERT published a What is WannaCry/WanaCrypt? Fact Sheet.
To assist healthcare providers with mitigation efforts, ICS-CERT offers the following information regarding the patch management of medical devices, which comes directly from the FDA Fact Sheet — FDA’s Role in Medical Device Cybersecurity:
• Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.
• The FDA recognizes that Healthcare Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.
The FDA provided recommendations to protect healthcare systems in their Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication. The FDA recommends healthcare providers consider taking the following steps:
• Restricting unauthorized access to the network and networked medical devices.
• Making certain appropriate antivirus software and firewalls are up-to-date.
• Monitoring network activity for unauthorized use.
• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
• Developing and evaluating strategies to maintain critical functionality during adverse conditions.
ICS-CERT reminded organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download.