By now, most of the world is aware of the major cyberattack in the form of ransomware that hit and rapidly spread Friday known as “WannaCrypt” or “WannaCry”. Though initially concentrated in Russia and Eastern Europe, the ransomware infection quickly spread around the world, including significant infections in Great Britain’s medical and hospital communities. This attack was and is particularly nasty and potent because it has incorporated a worm that lands on the initially infected host and then spreads to all other servers and PC’s on the network by leveraging a known Microsoft vulnerability. The initial infection mechanism appears to be in the form of email phishing, but after that point, the spread of the worm is automated and ruthlessly effective. Infected systems experience the encryption of critical data and receive a ransom notice demanding $300 in bitcoin for access to decryption keys. Encrypted files on infected systems use the extension “.wncry”.
Microsoft addressed the exploit leveraged by the worm (EternalBlue) on all supported platforms in a patch released in March 2017 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx – though unsupported legacy platforms (Windows XP, Windows Server 2003, Windows 8, etc.) remained susceptible to infection. Due to the rapid spread of the WannaCrypt worm around the world on Friday, Microsoft developed and released a special legacy patch for unsupported platforms as well – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ .
Major security firms have worked diligently to develop and deploy signature updates to anti-malware and IPS solutions to limit the spread of this strain of ransomware. The ransomware appears to attempt to communicate via an SMB flaw over specific UDP and TCP ports – UDP ports 137 / 138 and TCP ports 139 / 445. Fortinet released an IPS signature in March to address these types of SMB vulnerabilities and has since updated the IPS signature to enhance detection. Over the weekend, Fortinet also released a specific AV signature capable of detecting and stopping the attack. See the following link for more details – https://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware .
What should you do to protect your organization from “WannaCrypt”? Make sure you have done the following:
- Verify that all Microsoft platforms have been patched with the March 2017 release – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Identify and manually patch any unsupported, legacy Microsoft systems (Windows Server 2003, Windows XP, etc.) with the Friday release – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- Verify all IPS and Anti-Malware/Anti-Virus signatures are up to date on all systems including servers, desktops, firewalls and other security appliances.
- Isolate any vulnerable systems and specifically isolate communication to UDP ports 137 / 138 and TCP ports 139 / 445.
- Educate your end users. Explain the nature of the threat. Make them aware that they should be cautious when dealing with unexpected or unknown email messages.
The following are additional links to good information and guidance concerning this ransomware outbreak: