Ransomware attacks dubbed as “WannaCry” started to spread around the world on the 12th May 2017. In these attacks, data is encrypted with the extension “.WCRY” added to the file names. According to the reports, this attack initiated through an SMBv1 remote code execution vulnerability in Microsoft Windows code-named “EternalBlue”. The exploit “EternalBlue” has been made available on the internet through the Shadowbrokers dump on 14th April 2017.
Microsoft released security patch updates for this vulnerability on 14th March 2017 in Microsoft Security Bulletin MS17-010.
- Windows Vista (all editions)
- Windows Server 2008 (all editions)
- Windows 7 (all editions)
- Windows Server 2008 R2 (all editions)
- Windows 8.1 (all editions)
- Windows RT 8.1 (all editions)
- Windows Server 2012 and Windows Server 2012 R2 (all editions)
- Windows 10 (all editions)
- Windows Server 2016 (all editions)
- Some of the obsolete Microsoft Operating Systems are also vulnerable (Patches available through Microsoft Custom Support)
Recommended Course of Action
- MS-ISAC issued an advisory addressing the remote code execution vulnerabilities in SMB server that is currently being used to propagate the WannaCry ransomware. Vulnerable Operating Systems should be updated with relevant security patches (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
- If patching is not possible, make a business decision to disable SMB.
- Make sure that you are running proper up-to-date anti-virus software.
- Security devices such IDS/IPS, SIEMS, Firewalls should also be tuned to block suspicious inbound and outbound network traffic.
- Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP, Windows 8, and Windows Server 2003) available to everyone. The security update for Windows XP, Windows 8, and Windows Server 2003 can be download here.
Additional Recommendation for Counter Ransomware Attacks
TechCERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
- Do not follow unsolicited Web links in emails. Refer to the Security Tip on Avoiding Social Engineering and Phishing Attacks or the Security Publication on Ransomware for more information.