Data-Tech Protecting You From WannaCry

Data-Tech continues to work at protecting customers from the WannaCry ransomware attack – here’s what you need to know.

There is a new Ransomware out there, “WannaCry Ransomware” that uses an exploit in the Windows operating system. Microsoft fixed this exploit in March, so all up to date machines are secure. Sonicwall and Sophos have also updated their firewalls to prevent this intrusion as well.

A fast-spreading piece of ransomware called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) held computer systems hostage around the globe Friday. National Health Service hospitals (NHS) in the UK was hit hard, with its phone lines and IT systems being held hostage. From there, the attack spilled across the globe.

It encrypted victim’s files and changed the extensions to: .wnry, .wcry, .wncry and .wncrypt. It then presented a window to the user with a ransom demand:

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers’ APT EternalBlue Exploit (CC-1353). It also uses strong encryption on files such as documents, images, and videos.

This was different from past ransomware attacks. Why?

There were some unique aspects to the WannaCry attack. Typical ransomware infections happen after the victim clicks on a malicious email attachment or link. In this attack the malware was able to exploit a remote code execution (RCE) vulnerability that allowed it to infect unpatched machines without users having to do anything.

Because of that, this was able to spread in the same rapid fashion as the worm outbreaks common a decade ago, such as Slammer and Conficker.

Specifically, WannaCry exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

Organizations running older, no-longer-supporter versions of Windows were particularly hard hit. In fact, Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement:

We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.

Is this over?

Unlikely. With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them. We also expect aftershocks Monday as employees at affected company’s who weren’t there Friday return to work and fire up their computers.

What is Data-Tech doing to protect customers?

Data-Tech continues to update protections against the threat. DT Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.

Is there anything I need to do?

You’ll want to ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical. Microsoft is providing Customer Guidance for WannaCrypt attacks. As noted above, Microsoft has made the decision to make the Security Update for platforms in custom support only — Windows XP, Windows 8, and Windows Server 2003 — broadly available for download

How WannaCry ransomware works

Here’s a quick demo on how WannaCry (aka WannaCry, WCry, WanaCrypt and WanaCrypt0r) ransomware works, and how Sophos Intercept X protects against it.

If you have any additional question please reach out to us at vms-team@datatechitp.com

 

 

 

 


Sophos guidance on WannaCry ransomware

Related Posts