We are sufficiently concerned about the massive impact of the newly released ransomware, WannaCrypt, to send a warning notice to our newsletter recipients. Please take note!
The WannaCrypt ransomware worm, aka WanaCrypt, Wannacry or Wcry, exploded across 74 countries during Friday, infecting numerous hospitals, businesses, universities, telcos and more organisations.
WannaCrypt exploits a Windows vulnerability patched in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.
Symantec, Sophos and many other vendors are already protecting customers from the threat, which it now detects as Troj/Ransom-EMG, Mal/Wanna-A, Troj/Wanna-C, and Troj/Wanna-D.
We recommend you ensure you have the latest updated version of your Anti Virus software installed on your systems. Please also take note of some further recommendations from our team including -
- Update antivirus definition ASAP
- Disable any SMB access until patched (at least ones exposed to the internet)
- Install patches from March (and all recent)
- Avoid clicking on external links within emails, Lync, Skype etc. for next few weeks.... be vigilant.
- Trigger full system scans for entire infrastructure.
- Remove antivirus exclusions on email gateway
- On all windows XP machines disable file and printer sharing (SMB) as there will be no patch.... once done change antivirus configuration to more restricted over networks in sharing before restoring SMB.
Lastly there is a claim in the Guardian as of 2am UK time Saturday that a kill switch option has been found to stop the spread of this ransomware. This is good news but may only provide a very short term solution to this problem. We would encourage our customers to take on the above advice where appropriate.
As we get further intelligence on attack vectors and examples we will share them via our blog on our home page – www.kaonsecurity.co.nz