HHS issues warning for vigilance on WannaCry ransomware
The threat posed by the WannaCry ransomware is not over for the nation’s hospitals, and two large multi-state hospital delivery systems "are continuing to face significant challenges to operations" because of the WannaCry malware, according to the Department of Health and Human Services.
An update on the malware attack from HHS did not identify the hospital systems or their geographical region of the country, or specifically what the effects of the attack were on their operations.
The revelation comes as a surprise, because most published reports have suggested that U.S. hospitals were not affected by WannaCry, which crippled a number of healthcare facilities in the United Kingdom.
In fact, U.S. hospitals could face challenges from lingering affects of the initial ransomware attack, which occurred in mid-May. HHS, through its Office of the Assistant Secretary for Preparedness and Response, emphasizes that a new WannaCry attack has not been detected, but risks persist from the initial attack. For instance, the virus can persist on a machine that has been patched, the agency contends.
“The virus will not spread to a patched machine, but the attempt to scan (for the virus) can disrupt Windows operating systems when it executes,” according to the agency. Even patched systems still could be infected if the WannaCry malware is introduced to the system in a different manner.
“Furthermore, a newly patched system could have been previously infected and, if so, would still scan for other vulnerable systems and/or encrypt files,” HHS advises. “Patching a system is similar to how, in physical medicine, a quarantine will prevent an infection from spreading, however, it will not cure the patient who has been quarantined.”
Tips from the agency to mitigate the risk of WannaCry infection include:
- Patch vulnerable systems with the update from Microsoft which fixes the SMBv1 vulnerability (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
- Disable SMBv1 on all devices across the network and disable it at the firewall if possible. If it is not possible to disable SMBv1, consider the business impact for quarantining those devices off the network until another solution can be found.
- See the Tech Support Page from Microsoft for instructions on disabling SMBv1 (https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server).
- Block port 445 on all firewalls.
- If possible, reimage potentially affected devices to mitigate risk that malware is on the system in the background.
- Use a reputable anti-virus product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many anti-virus products will automatically clean up infections or potential infections when they are identified.
- Work with vendors to make sure both the distribution stage and the encryption stage of WannaCry are detected and blocked.
- Work with vendors or IT support staff to investigate and remediate systems exhibiting network-scanning activity consistent with WannaCry, which could be reimaging.
- HHS also suggests contacting the FBI if a victim of ransomware, report cyber incidents to US-CERT (United States Computer Emergency Readiness Team), and contact the Food and Drug Administration if a real or suspected attack affects medical devices.