NOTICE: Users of Windows need to be notified ASAP of a new ransomware strain, WannaCry, and take immediate measures to patch their systems. For more details on the ransomware infection and patch update, check out the Microsoft Security Bulletin, Click here.
On Friday May 12th, 2017, a new strain of the Ransomware, known as “WannaCry”, began spreading like wildfire and impacted a large number of organizations throughout the world. This ransomware has already encrypted the files of an estimated 200,000 computers, including the U.K.’s National Health Service (NHS), Telefonica in Spain, and FedEx in the United States. Over the weekend, at least two new variations of the malware have already been detected.
– For an animated map of the ransomware infection spreading throughout the world, check out New York Times post here.
The malware scans over TCP port 445 and then spreads as a worm to compromise unpatched hosts on the network. It encrypts your files for ransom payment in the form of Bitcoin, ranging from $300-$600. It is important to note that this is simply not a threat that scans internal ranges to identify where to spread, it is capable of spreading based on finding vulnerable hosts externally facing across the internet.
Cisco Talos Intelligence has observed WannaCry samples that use DOUBLEPULSAR. This is a backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation of additional malware software. This backdoor is installed after the exploitation of SMB vulnerabilities. It is associated with an offensive exploitation framework that was released as part of the Shadow Brokers NSA cache in April.
WannaCry is primarily utilizing the EXTERNALBLUE module and the DOUBLEPULSAR backdoor. The malware will first use EXTERNALBLUE for the initial exploitation of the vulnerability. If successful, it will then implant the DOUBLEPULSAR backdoor and install the malware. If the exploit fails, the malware will still leverage this backdoor to install the ransomware payload.
Microsoft Fix – MS17-010
Organizations should ensure that devices running Windows are fully patched with MS17-010. All currently supported Window Client and Server versions are exploitable. This ransomware does not affect Windows 10 though, but you should be extremely suspicious of all emails you receive, particularly those that ask the recipient to open attached documents or click on web links. Microsoft even published patches for Windows XP, Windows 8 and Windows Server 2003 which have been retired from support for as long as 3 years now. Microsoft has never issued security updates for software as long retired from support as these systems. Unfortunately, these legacy systems are used by smaller companies with smaller staffs. These are likely to have not been blocked before the Microsoft’s patch began rolling out. Take actions now to secure your systems before infection could occur.
NetServe365 Security Prevention and Detection
For the NetServe365 clients who are invested in our security services, our team has been working to protect your systems from the WannaCry malware. Below is a list of preventive actions we have taken to make sure that your systems stay secure.
NetServe365 had already pushed out patches to protect end-user machines against this malware in both the March and April patch releases.
Anti-Virus (AV) Protection
NetServe365 has already deployed signatures blocking WannaCry in our hosted AV solution.
Unified Security Management
There have been detection methods in place to combat the MS17-010 vulnerability since April 18th, 2017. Our team is diligently monitoring your systems to make sure that vulnerabilities are detected and protected against this malware before they can be used to infect your systems.
The Talos group is detecting this malware with multiple approaches. If you are using FirePOWER Intrusion Prevention System (IPS), a signature is already blocking this vulnerability. Domain Name Service (DNS) scanning is blocking connections to any of the Command and Control URLS. IP reputation filtering is also blocking known associated IPs. If you also use the Advanced Malware Protection license (AMP), it is already blocking the malware files based on its hash value.
If you are unsure if your network is vulnerable to WannaCry, NetServe365 can scan your internal and external networks to determine it’s status.
Forcepoint and Cisco URL Filtering
Products were updated within the first few hours of the malware attack and are already blocking any possible URL transactions.
If you do not have these products and are unable to patch MS17-010, you MUST disable SMB and close port TCP/445 on affected systems.
Please note that this threat is still under active investigation and the situation may change as more information is learned. NetServe365 will actively monitor and analyze this situation for new developments and respond accordingly.
It’s time to finally say, Happy Holidays! While the holiday season is for spending time with your family, eating way too much, and spreading the holiday cheer, it also signifies that the year is coming to an end. And, we’ve all heard the cliché saying, new year new me, right? Well, as you might have … Continue reading “New Connections: An Introduction to Magna5”
In the recent Solarwinds MSP Cyber Preparedness Survey, Solarwinds surveyed 400 Small- to Medium-Sized Enterprises. This survey investigated the cyber security preparedness, experiences and failings of these organizations to better understand what we can be doing to better protect critical information. The headlines of all the attacks this year are enough to scare people to … Continue reading “7 Pitfalls That Are Hindering Your Cyber Security”
FOR IMMEDIATE RELEASE Contact: Anne Clarrissimeaux Communications Manager Magna5 email@example.com 214-552-0910 MAGNA5 ACQUIRES NETSERVE365 Fourth acquisition in 18 months strengthens PaaS, IaaS, UCaaS services portfolio with addition of award-winning network and server monitoring and management, cloud hosting and managed IT security services Pittsburgh (November 16, 2017) – Magna5, a portfolio company of NewSpring … Continue reading “Magna5 Acquires NetServe365”