On May 12th, an outburst of a new Ransomware named WannaCry (aka WannaCrypt, WCry) took place. This ransomware, spread wildly in a short amount of time, infected over 100K victims in over 99 countries utilizing the MS17-010 Vulnerability. The following image from the live infection map, demonstrating how big the impact of this campaign had been over the past 24 hours.
The MS17-010 Vulnerability was first made public during the ShadowBrokers’ leak of CIA data back in April of this year and was dubbed ETERNALBLUE. It is a critical vulnerability in the SMBv1 server which can (and did in this case) be wormable. Microsoft patched this vulnerability on March 14th 2017 and released a special security bulletin for it a whole month prior to the ShadowBroker’s leak. Furthermore, during the events of the past weekend, and the mass ransomware infections that took place, Microsoft released another, out of band patch for a no longer supported version of windows – Windows XP and even released a guide of how to protect yourself from the WannaCry attacks.
As of today, May 14th, the WannaCry attacks have ceased after the researcher behind the MalwareTechBlog had registered a domain that is effectively used as a kill switch for the Ransomware distribution.
Although so many were infected, the criminals didn't make much of a win:
So, what can you do to protect yourself?
- If you haven’t yet – STOP WHATEVER YOU ARE DOING AND RESTART your windows machine to apply all patches.
- Enable The Anonymous Networks target on your ThreatSTOP IP and DNS Firewalls. This way, you will block all communication with Tor from your organization and minimize the chances for an attack, while stopping your employees from bypassing your corporate defences.
- Use Minerva’s Vaccinator – It is free and will cause the malware to bypass your machines.
- Consider disabling legacy protocols on networks, if you don’t need it, why is it there? (and specifically SMBv1)
If you would like to read more, we recommend the following resources (this list keeps updating, so come back to check it out later):
- An Advisory from the Luxemberg CERT
- WannaCrypt fact sheet
- Technical Analysis by ENDGAME
- Do not pay the ransom - Check Point reseach team say that the files will not be decrypted.
- SANS Institute - presentation for management
- SANS Institute - Friday Webcast with technical details
- Reposify have a mapping of all the vulnerable devices on the interet - you can check if you are there!