The WannaCry (.WNCRY, Wana Decrypt0r 2.0) ransomware outbreak is definitely the scariest cybersecurity event of 2017. So far. The ransomware has compromised the systems of Telefonica in Spain, as well as multiple hospitals in the UK. It has also been affecting the National Health Services machines in England and Scotland.
As suggested by multiple sources, the NHS and possible other organizations as well have been hit because they were running unsupported Windows XP across thousands of computers.
Just a couple of days ago Kaspersky Lab pointed out that the attack “is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.”
As we already wrote, EternalBlue and DoublePulsare are indeed the exploits used by the organization spreading WannaCry. The exploits were leaked online somewhere around the Easter holidays by The Shadow Brokers. This exploit is primarily addressing issues in Windows systems so anyone who is still not infected with this virus is strongly advised to back up their systems and then update it.
That being said, MS17-010 is a patch for newer versions of Windows as well, like Windows 7 and Windows 8.1, Windows Server 2008, Windows Server 2012 and Windows Server 2016 inclusive.
Since the ransomware is continuously evolving and altering its ways of distribution, the mitigations against it are more important than ever.
Don’t Block Domains Associated with WannaCry Ransomware
According to the British National Cyber Security Center:
Work done in the security research community has prevented a number of potential compromises. To benefit from this, a system must be able to resolve and connect to the domain below at the point of compromise.
Unlike most malware infections, your IT department should not block this domain.
In addition to not blocking WannaCry domains, security experts agree on 5 common mitigation steps that should be adopted by both home users and IT admins.
MS17-010 Should Be Installed
As explained by Microsoft, “the security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests”. It is extremely important that all system updates are installed once they are available. This is an excellent way to prevent infections triggered by the MS17-010 flaw. Keep in mind that if your system hasn’t been updated with this patch, it should be removed from all networks as soon as possible.
Emergency Windows Patch Should Be Installed
Apparently, Microsoft has issued emergency security updates for multiple operating systems that it no longer supports to help organizations protect themselves against the unstoppable WannaCry ransomware outbreak.
SMBv1 Should Be Disabled
According to the NSCS, if it is not possible to apply these patches, SMBv1 should be disabled. Here is how to do it.
SMBv1 Should Be Blocked
As an alternative method, SMBv1 ports should be blocked on network devices – UDP 137, 138 and TCP 139, 445 – as recommended by NCSC.
Complete Shut Down of Vulnerable Systems
If any of the solutions listed above are not available, the NCSC recommends terminating vulnerable systems.”If these steps are not possible, propagation can be prevented by shutting down vulnerable systems,” the organization suggested.