The WannaCry Ransomware attack launched against organizations in over 74 countries worldwide. In this video, Chris Nyhuis, CEO of Vigilant Technology Solutions, discusses the attack with Intelisys’ SVP Cloud Transformation Andrew Pryfogle.
Learn more about what happened, how to talk about this vulnerability with your clients, and how to help them proactively get ahead of the threat.
More from the Vigilant Technology Solutions team:
WannaCry Ransomware Campaign
Since last Friday, Vigilant has been closely tracking a major Ransomware campaign called “WannaCry” launched against organizations in over 74 countries around the globe. First starting in Europe, the attack has now spread to U.S. based organizations of all sizes, in all industries.
NOTE: Before getting alarmed, it’s important to understand that many people are over-reacting to this event. Organizations who have 1.) visibility into their networks and 2.) a solid patching program are positioned well to defend against this specific campaign.
“This attack is consistent with many of the attacks we see every day. Bad guys are racing to exploit vulnerabilities before organizations can get them patched. With the visibility of CyberDNA we’re able to see these attempts immediately, before they become wide spread.”
–Ryan Stillions, Vigilant Head of Detection & Response Services
This specific attack spreads across a network by exploiting vulnerable versions of Windows Server Message Block (SMB). While Microsoft has recently released patches for six SMB vulnerabilities, many organizations have yet to deploy them.
Once a victim system has been exploited, the WannaCry Ransomware encrypts files and prompts the user with a ransom message requesting $300 worth of bitcoin be paid to recover them.
For more information on the Windows SMB vulnerability, the WannaCry Ransomware campaign, as well as associated Indicators of Compromise, please see the following articles:
The Vigilant Hunt Team is actively monitoring the situation.
All Vigilant CyberDNA customers have detection in place for exploitation attempts against the Windows SMB vulnerability, as well as network detection for the WannaCry Ransomware.
All Vigilant Managed Endpoint Protection customers are being deployed a custom emergency definition for all currently known variants of Ransom-WannaCry, and will continue to receive additional prevention signatures immediately as they are available.
Please keep in mind this is an ongoing campaign and we are updating our detection capabilities in real time, as well as keeping a close eye on customer networks as this event unfolds.
Recommended Courses of Action:
We suggest all customers implement the following Recommended Courses of Action at their soonest convenience.
- Review all Windows systems to ensure they have received the “Security Update for Microsoft Windows SMB Server (4013389)”, reference Critical Microsoft Security Bulletin MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx published on March 14th, 2017.
- Any public-facing Windows system with Server Message Block exposed to the internet should be immediately patched, or taken offline from public access.
- As a best practice, SMB (ports 139, 445) should not be exposed publicly, and should be blocked from all externally accessible hosts.
- All internal Windows systems should be patched immediately to avoid internal lateral spreading of the WannaCry Ransomware.
- Perform an update to your endpoint protection / antivirus software definitions immediately.
- Ensure users are instructed to leave systems powered on so they can receive patches and definition updates.
- Ensure critical user files and data are backed up appropriately and your organizations restore procedures are tested and communicated.
- Brief your Help Desk personnel to be on heightened alert for any inbound calls regarding Ransomware pop-ups, and to review their response plans accordingly.
- Notify Vigilant of any reported cases of WannaCry Ransomware in your organization.