MCNC Security Advisory 2017.001

WannaCry Ransomware Attacks

General Information

Executive Summary

On Friday, May 12, 2017, details began to emerge about a significant new ransomware attack.  The new attack uses a vulnerability in Microsoft Windows systems to spread quickly.  Hundreds of thousands of systems across the globe (mainly in Europe) were impacted by the new ransomware variant known as “WannaCry”.

As is typical of most ransomware, the malicious software encrypted files on infected computers and prompted users to pay a ransom (via bitcoin) to regain access to their files.  This new attack was significant because of how fast it spread and the number of computers that it infected in a relatively short time.

MCNC is releasing this advisory to constituents to ensure they have the latest information and suggest actions that they can undertake to protect themselves.

Advisory Details

Details of the Issue

The WannaCry malware exploits a vulnerability in the Microsoft Server Message Block (SMB) v1.0 protocol.  This is the protocol that facilitates Windows file sharing and impacts all versions of Microsoft Windows server and workstation Operating Systems.  Once a Windows system is infected with the malware, it will encrypt local files and demand payment in order to return the files to the users. 

It will also attempt to locate all other Windows systems on the same network and infect them using the same Windows file sharing vulnerability.  User interaction is not required.  If your Windows system is vulnerable, it can be infected by simply being on the same network as a system that is already compromised. 

Microsoft released a critical security update (MS17-010) to address the vulnerability in March of 2017.  Systems that have installed this security update are not impacted by the WannaCry malware.

Suggested Actions

The information below provides a list of some actions that you should consider in order to protect your systems and networks.  This list is not comprehensive and there may be other actions that you choose to take.

Install the MS17-010 Critical Security Update

The WannaCry malware exploits the SMB vulnerability addressed by the MS17-010 security update. The most important step you can take to protect your systems is to install this security update (and all other relevant security updates).

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Note that Microsoft also released a security update to address this issue on the Windows XP Operating System, even though Windows XP is no longer officially supported.  If you still utilize Windows XP, you should install this security update and accelerate plans to migrate to a supported Operating System to obtain future security updates.

Block Inbound SMB Traffic From Untrusted Networks

Block network traffic on TCP ports 139 and 445 coming from untrusted networks.  Note that this will not prevent infected hosts already on your network from trying to propagate the malware, but it will prevent infected hosts from outside your network from being able to infect hosts on your network.

Block SMBv1 Traffic

SMB v1 is a legacy protocol that has been replaced by newer versions.  Configure Windows systems to utilize newer versions of the SMB protocol and disable support for SMB v1.

Ensure Your Systems Run Updated Anti-Malware Protection

Make sure that your systems run updated anti-malware software capable of detecting the WannaCry malware and preventing it from running on your system.

Utilize Web Content Filtering Software to Block Malicious Web Traffic

Utilize web content security services to detect and block web traffic associated with this malware, and to detect potentially compromised machines.  MCNC customers utilizing the Zscaler web content security service will benefit from these protections.

Note that these protections will not prevent an already infected system from spreading the malware within your network.  It will however, prevent hosts from being infected via the web.

Additional Information

  1. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  2. https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/  
  3. https://isc.sans.edu/presentations/WannaCry.ppt
  4. http://blog.talosintelligence.com/2017/05/wannacry.html
  5. https://www.zscaler.com/blogs/research/wannacry-ransomware-what-you-need-know
  6. https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

Revisions

  • V1.0 (May 16, 2017):  Advisory published.