WANT TO CRY
On May 12 the Government and Antivirus Companies began tracking a new ransomware variant that spread rapidly throughout the day. It is a highly virulent strain of a self-replicating ransomware that has impacted many large and small organizations. It is especially notable for its multi-language ransom demands that support more than two-dozen languages.
This ransomware is being referred to by a number of names, including WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. It was leaked online last month by the hacker group known as The Shadow Brokers.
Affected Microsoft products include:
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
- Windows 8.1
- Windows Server 2012 and Windows Server 2012 R2
- Windows RT 8.1
- Windows 10
- Windows Server 2016
- Windows Server Core installation option
Microsoft released a critical patch for this vulnerability in March in Microsoft Security Bulletin MS17-010. That same month, Some Firewalls also released a patch to detect and block this vulnerability. Details about IPS and AV signatures are included at the end of this message.
- We strongly advise all customers take the following steps:
- Apply the patch published by Microsoft on all affected nodes of the network.
- Engage an Email filtering service to scan all email before it gets to your server!
- Ensure that you firewall AV and IPS inspections as well as web filtering engines are turned on to prevent the malware from being downloaded, and to ensure that web filtering is blocking communications back to the command and control servers.
- Isolate communication to UDP ports 137 / 138 and TCP ports 139 / 445.
We also recommend that users and organizations take the following preventive measures:
- Establish a regular routine for patching operating systems, software, and firmware on all devices. For larger organizations with lots of deployed devices, consider adopting a centralized patch management system.
- Deploy IPS, AV, and Web Filtering technologies, and keep them updated.
- Back up data regularly. Verify the integrity of those backups, encrypt them, and test the restoration process to ensure it is working properly.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Schedule your anti-virus and anti-malware programs to automatically conduct regular scans.
- Disable macro scripts in files transmitted via email. Consider using a tool like Office Viewer to open attached Microsoft Office files rather than the Office suite of applications.
- Establish a business continuity and incident response strategy and conduct regular vulnerability assessments.
The security of our customers’ systems is of paramount importance to ulltium. We are actively monitoring the situation to respond to any new malicious behavior and will reach out immediately if new developments are discovered.