There has been a very aggressive global ransomware attack over the last 72 hours. The initial variant of the “WannaCry” malware is an attack against a SMB (server message block, one of the fundamental Windows domain technologies) protocol vulnerability present in many Microsoft OS’s, patched by MS17-010. Microsoft issued a patch for this vulnerability in March, 2017 and information on the patch for supported OS can be found here.
The characteristics of this malware are such that it is self-replicating once present. The risk presented by this vulnerability is so high that Microsoft has released patches for out of support OS’s (Server 2003, XP, etc) via general release. Patches for older unsupported OS’s can be found here.
Here are some immediate mitigations we can recommend, though they won’t help with machines already compromised:
1. Apply patches for MS17-010 where possible
2. Disable SMB v1 where supported
3. Ensure that TCP/445 and TCP/3389 are firewalled off from the internet
4. Apply group policy settings that use windows firewall to prevent endpoints (not servers) from communicating with each other over TCP/445
5. Update endpoint AV engines and DAT files
6. Isolate or remove systems running Windows NT, XP, 2000, and 2003 from the rest of the network.
7. Ensure that any VM running an affected Microsoft OS is included in the mitigation efforts described above. If mitigation is not possible for these systems, consider shutting them down until appropriate controls can be identified and implemented.
8. Consider blocking of email attachments, especially zipped and/or encrypted attachments, at least until other remediation options are in place. Be especially vigilant in not opening attachments from anyone unless they are absolutely trusted.
The initial “WannaCry” attack was muted through the discovery and registration of a “kill switch” web site address in the malware. While that particular variant has been largely rendered ineffective, we expect variants without the kill switch in short order. Without taking mitigation steps, this still presents a critical risk to unpatched systems and networks.
If you have not been affected and need further assistance, you can contact Microsoft support, your security support vendor, or your Sirius Client Executive for help coordinating your response.
Questions? Email firstname.lastname@example.org