WannaCrypt Ransomware Update

This attack exploits a vulnerability in SMBv1 (Microsoft Server Message Block 1.0). It is highly recommended to patch all systems and/or disable SMBv1. Alternatively, filter the corresponding ports.

Microsoft has released patches for affected software; this includes a Security Update for Windows XP SP3 (KB4012598).

Proactive measures for the WannaCry ransomware

  • Patch & update all operating systems. Please see Reference 3 below (ms17-010).
  • Disable SMBv1 everywhere else.
  • (Retroactively to Friday, 12th of May) move all email messages with active code in attachments into a quarantine.
  • Control all incoming executable files via the Web/Proxy infrastructure.
  • Control returning laptops before Start-of-business on Monday, 15th of May.
  • Inform all employees not to click on any hyperlinks or open attachments

Incident response to Crypto Ransomware

In the case of a detection, HEAnet recommends that you unplug / disconnect the infected systems from the network (do not forget any wireless connectivity).

If you have any further questions, please do not hesitate to contact noc@heanet.ie

References

  1. https://circl.lu/pub/tr-41/#proactive-measures-for-the-wannacry-ransomware
  2. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  3. https://www.microsoft.com/en-us/download/details.aspx?id=55245
  4. https://technet.microsoft.com/library/security/ms17-010
Posted in: