The WannaCry Ransomware Needs to Be a Wake-up Call to All

Well It looks like the day of reckoning is here for many businesses with the spread of the WannaCry ransomware (aka WannaDecryptor, aka WannaCryptor aka WCry). You may well wanna cry if you get this ransomware on your systems!

It encrypts the victim’s files and holds them for ransom unless an amount is paid in bitcoin.

It has infected Tens of thousands of computers in over 75 countries as of recording and is spreading.

​Watch it spread: https://comparite.ch/wannacry

So who is at risk? Anyone running Windows operating systems that are listed in the patch announcement here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

The NCSC advise the following steps be performed in order to contain the propagation of this malware:

  • Deploy patch MS17-010:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  • A new patch has been made available for legacy platforms, and is available here:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

  • If it is not possible to apply this patch, disable SMBv1.  There is guidance here:

https://support.microsoft.com/en-us/help/2696547

  • and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]

If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.

Work done in the security research community has prevented a number of potential compromises. To benefit:

  • Ensure that your systems can resolve and connect on TCP 80 to the domains below. 

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Unlike most malware infections, your IT department should not blockthese domains. Note that the malware is not proxy aware so a local DNSrecord may be required. This does not need to point to the internet, butcan resolve to *any* accessible server which will accept connections onTCP 80.

Antivirus vendors are increasingly becoming able to detect andremediate this malware, therefore updating antivirus products willprovide additional protection (though this will not recover any datathat has already been encrypted).

CATEGORIES
  • Jimmy Toriola says:

    True. it is a global problem.

  • Jas says:

    Very informative & well explained.

  • Asiye says:

    Thank you Nathan.

  • Steven Angelucci says:

    Thanks Nathant

  • Luca says:

    Thanks for sharing this information…Read about a young guy who has stopped spreading of the ransomware some way…Do you know any detail on this?

    • Nathan House says:

      Yes WannaCry stops if a certain domain is registered, as it checks for the existence of that domain. It is/was a feature coded into it as a way of stopping the spread. But new versions have already been released where this doesn’t stop it.

  • Jen says:

    very informative and a great awakening!
    thanks, Nathan for sharing.

  • Jurjen says:

    Thanks Nathan for taking the time to explain. Made me remember I have to continue my course 😉

  • Michael says:

    Thanks for the update!

  • >