Hitting the media headlines over the weekend, WCry is a highly virulent strain of a self-replicating ransomware, infecting over 230,000 hosts in over 150 countries and impacting such far-flung organisations as our NHS, Chinese universities, Hungarian and Spanish telcos, and the Russian Interior Ministry.
This ransomware is being referred to by a number of names, including WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. It is spread through an alleged NSA exploit called ETERNALBLUE that was leaked online last month by the hacker group known as The Shadow Brokers. ETERNALBLUE exploits a vulnerability in the Microsoft Server Message Block 1.0 (SMBv1) protocol.
Affected Microsoft products include:
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
- Windows 8.1
- Windows Server 2012 and Windows Server 2012 R2
- Windows RT 8.1
- Windows 10
- Windows Server 2016
- Windows Server Core installation option
Microsoft released a critical patch for this vulnerability in March in the Microsoft Security Bulletin MS17-010. That same month, security vendors released IPS signatures to detect and block this vulnerability. Many vendors have since released new AV signatures to also detect and stop this new variant.
We strongly advise all organisations take the following steps:
- Apply the patch published by Microsoft on all affected nodes of their network.
- Ensure that the AV and IPS inspections as well as web filtering engines are turned on to prevent the malware from being downloaded, and to ensure that web filtering is blocking communications back to the command and control servers.
- Restrict access to systems on UDP ports 137 / 138 and TCP ports 139 / 445.
We also recommend that users and organisations take the following preventive measures:
- Establish a regular routine for patching operating systems, software, and firmware on all devices. For larger organisations with lots of deployed devices, consider adopting a centralised patch management system.
- Deploy IPS, AV, and Web Filtering technologies, and keep them updated.
- Back up data regularly. Verify the integrity of those backups, encrypt them, and test the restoration process to ensure it is working properly.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
Schedule your anti-virus and anti-malware programs to automatically conduct regular scans.
- Disable macro scripts in files transmitted via email. Consider using a tool like Office Viewer to open attached Microsoft Office files rather than the Office suite of applications.
- Train staff to be vigilant when opening email and to never open attachments or click on links from untrusted sources.
- Establish a business continuity and incident response strategy and conduct regular vulnerability assessments.
If your organisation has been affected by ransomware, we suggest you take the following actions:
- Isolate infected devices immediately by removing them from the network as soon as possible to prevent ransomware from spreading to the network or shared drives.
- If your network has been infected, immediately disconnect all connected devices.
- Power-off affected devices that have not been completely corrupted. This may provide time to clean and recover data, contain damage, and prevent conditions from worsening.
- Always store backed up data offline. When an infection is detected, take backup systems offline as well and scan backups to ensure they are free of malware.
- Report any ransomware incidents to the police.
Customers with Next Generation Firewall and Email Protection solutions provided by Bistech can be assured that the latest AV and IPS definitions are in place and that third party testing confirms that the Anti-Virus effectively blocks the WCry malware.
For further advice, talk to our team of security experts on 03330 11 22 55.