Blog

What to do against Wannacry: tips & tricks

On Friday a new virus Wannacry was launched to infect Windows machines with ransomware and it was very successful until MalwareTech discovered that there was a "kill switch" in the code, so they hijacked the DNS for that domain and stopped the infections spreading.

Wannacry also has worm capabilities, meaning that it will start scanning machines on the local network to attack and also machines on Internet. This is very DANGEROUS malware.

Important remark: this "kill switch" worked for consumer PCs that are directly connected to Internet, but in a corporate environment the attempt to connect to the domain used by Wannacry will be blocked, either on the firewall or by the web proxy. So this will not prevent internal infection!

Anti-virus companies are already seeing new variants with new DNS domains or without the "kill switch", so the battle is still ongoing. In this blogwe want to provide some tips & tricks to stop infections, detect impacted machines and provide an action plan for today.

Troy Hunt started a blog immediately on Friday that contains technical information about the malware and has some nice statistics. I'm sure that Troy will discuss this more in detail in the workshop that we organise on 1 and 2 June in Leuven. Contact us if you want to participate!

So, if you are responsible for the network security in your organisation this is what you need to do first:

  1. Make sure that you block TCP 445 (SMB) on your network firewall inbound & outbound!
  2. Monitor your firewall logs for blocked outgoing TCP 445, any machine that is trying to connect to external public IP addresses is probably infected.
  3. Verify that all your Windows workstations AND servers have installed the patch MS17-010. You can use vulnerability scans to verify this
  4. Update your anti-virus everywhere:
    1. Firewalls content inspection
    2. Web gateways
    3. Servers
    4. Workstations
    5. Backup servers
  5. Monitor your anti-virus logs for detections of Wannacrypt. If your anti-virus detects Wannacrypt on your internal network, you have somewhere an infected machine attacking other internal devices!
  6. Configure your network intrusion detection (IDS) to detect Wannacrypt scans and the related NSA exploits. If you don't have an IDS, install Snort or Suricata with the rules 42329-42332, 42340, 41978 to detect Wannacry.

Who's impacted

Who: Everyone

Affected software: Windows XP, Windows 7, Windows 2003

Impact: Encryption of ALL data stored locally and on file servers. The ransomware will attack other machines on the internal network and also on Internet.



Solution

  • Install all latest patches for all your operating systems!
  • Update anti-virus engines.
  • Inform your SOC to increase monitoring of attacks and attempts.
  • Vulnerability scanning of all your IP addresses to detect vulnerable/rogue/unknown machines.
  • Defense in depth: review your firewall policies, remote access policies, ...
  • Inform your partners with remote connections to your environment to patch ASAP!



References

MalwareTech: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Microsoft Security: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Microsoft patches: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Add comment