WannaCry?

As most of you have likely heard or seen on the news, there’s a new ransomware variant called “WannaCry” that is making the rounds and in a very short period of time it has impacted hundreds of thousands of systems in 150 countries worldwide, including high-profile victims like the British National Health Service (NHS).  The attack targets Microsoft Operating systems and exploits previously identified vulnerabilities.

Here is what you need to know…

What is WannaCry?

 WannaCry is a ransomware variant that takes advantage of an exploit in the Windows operating system (MS17-010) that was released by a hacking organization called Shadow Brokers in March.  The exploit and tools were allegedly part of a collection of spy tools used by the National Security Agency (NSA).  Microsoft patched the vulnerability after the release, but there are likely millions of computers that have not been updated yet.  Thus, they are vulnerable and actively being exploited.  WannaCry exploits that known vulnerability to get a foothold into an environment and spreads, potentially without the need for authentication or any other user action. It is still being researched on what the primary and initial vector of compromise is, but it is believed to be a variation of things from phishing emails to internet exposed vulnerable systems and previously compromised systems.

An infected machine will display the following message and contain a file named !Please Read Me!.txt

Can Managed Threat Intelligence by Vertek detect systems vulnerable to MS17-010?

 Absolutely.  We have built-in signatures to detect this vulnerability.  A scan can be run on customer assets to identify the ones that are potentially vulnerable.  If systems are vulnerable you should apply the patch that Microsoft released.  Failing to do that can quickly and easily result in a compromise should WannaCry gain a foothold into your environment. Microsoft has also released patches for legacy operating systems that are no longer supported (Windows XP and Windows 2003).

Can Managed Threat Intelligence by Vertek detect WannaCry?

Our clients are subscribed to our pulses that right now include over 500 indicators of compromise for WannaCry specifically.  If we detect one of these indicators traversing your network, an alarm will generate.  When we receive an alarm, our analysts will contact your technical point of contact immediately to have the system removed to protect your network.

What can I do to further protect myself from this attack?  

• Be extra cautious with suspicious emails and don’t open anything from anyone you don’t trust.  You can choose to forward phishing or suspicious emails to phishing@vertek.com for further analysis.
• Ensure that you’ve patched the MS17-010 vulnerability: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• If you are running a legacy OS, such as XP or Windows 2003 refer to the following: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
• Ensure you have good backups
• Since WannaCry exploits a vulnerability in Windows Server Message Block (SMB) version 1, you can disable this protocol if you haven’t done so already in your environment. SMBv1 is the reason that this ransomware is spreading like wildfire. This can be accomplished in multiple ways (powershell, smb client, group policy, or manually through the registry).Via Powershell cmdlet (note: you do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet)
  • To check current status of a system that is Windows Server 2012 and up:
    Get-SmbServerConfiguration | Select EnableSMB1Protocol
  • To check current status of a system that is Windows Server 2008 or below:
    Get-ItemProperty -path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1
  • To  disable SMBv1 on a 2012 and higher server, run the following on that host:
    Set-SmbServerConfiguration -EnableSMB1Protocol $false
  • To disable SMBv1 on a workstation or server 2008 and below, run the following command on the individual host:
    Set-ItemProperity -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

Manually

• To manually disable SMB: open the registry of the system, navigate to the following key, and set SMB1 entry from a 1 to a 0:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Globally with GPO

• To implement a group policy to disable it globally refer to the following within group policy editor:
  Computer Configuration > Preferences > Windows Settings > Registry
  Action: Update
  Hive: HKEY_LOCAL_MACHINE
  Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Value name: SMB1

Value Type: REG_DWORD

Value Data: 0 (hexadecimal)

• Lastly, if a machine is infected you should immediately remove it from the network and contact your IT personnel