WannaCry Ransomware Attack and Helpful Resources
Here is some helpful information for you and your team about the ‘WannaCry’ ransomware attack that occurred over the weekend. Hundreds of thousands of machines globally were infected in a short period of time. Many of our customers are asking what they can do now to protect their business. Having the right technology in place is key and we recommend some basic computer hygiene tips.
Check out our blog post from Dan Powers, Sr. SW Engineer Team Lead, who discusses basic hygiene and what some of our customers experienced who have BigFix – https://www.linkedin.com/pulse/massive-cyber-attack-targeting-99-countries-causes-sweeping-powers
If you have any questions or need assistance, please call your Champion Client Manager, or call 800-771-7000 or email [email protected].
What is WannaCry?
WannaCry is Ransomware that locks down all the files on an infected computer and asks the computer’s administrator to pay in order to regain control of them. The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that hadn’t updated their systems were still at risk.
Hospitals, government offices, major companies such as Fedex, Universities, retailers, and many other businesses were targeted. While all industries are a target for ransomware, this article discusses why 4 industries are frequently attacked: https://www.zdnet.com/article/ransomware-these-four-industries-are-the-most-frequently-attacked/
A couple of our partners have webinars that you and / or your team may be interested in attending:
– On Demand Now – IBM Webinar: WannaCry Ransomware Attack – What to do Now
– May 18, 2017 – Carbon Black Webinar: Stopping the Next WannaCry
These videos show how to detect and stop ransomware with QRadar and BigFix:
QRadar stopping Ransomware on its tracks – Part 1 https://youtu.be/ENYbSiUsfaE
QRadar stopping Ransomware on its tracks – Part 2 https://youtu.be/mpykyoWlnGI
QRadar stopping Ransomware on its tracks – Part 3 https://youtu.be/CVlBI6SnpgI
These videos show how to detect ransomware with QRadar’s QNI and BigFix:
QRadar and Bigfix Stop Ransomware Autofast – Part 1 https://youtu.be/P90e4iEJ32s
QRadar and BigFix Stop Ransomware (Custom Action) – Part 2 https://youtu.be/sJOovKKX_SM
QRadar and Bigfix Stop Ransomware (Custom Action) – Part 3 https://youtu.be/-hGsYEDBbi8
QRadar and Bigfix Stop Ransomware (Custom Action) – Part 4 https://youtu.be/k0fKj4jAFXs
KnowBe4 – Train employees on recognizing spear phishing emails
Free Phishing Security test
Alert Logic identifies the attack methods used by WannaCry and began testing Alert Logic assessment and detection methods
WannaCry Ransomware Guidelines to stay safe:
• Be careful and do not click on links in your emails if you do not know the sender.
• Be wary of visiting unsafe or unreliable sites.
• Never click on a link that you do not trust on a web page or access to Facebook or messaging applications such as WatSab and other applications.
• If you receive a message from your friend with a link, ask him before opening the link to confirm, (infected machines send random messages with links).
• Keep your files backed up regularly and periodically.
• Be aware of fraudulent e-mail messages that use names similar to popular services such as PayPal instead of PayPal or use popular service names without commas or excessive characters.
• Use anti-virus and Always make sure you have the latest update.
• Make sure your Windows have the last update to close the gap.
Prescription for the Victim of WannaCry:
1. Block communication to WCry Command Control Center to stop infection and propagation across your environment. IBM XGS can help with blocking suspicious IP Addresses and ports. You can see a list of suspicious list of IP, hashes and ports at https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729. Ports 22, 23, 3389, TCP 139 & 145/UDP 137 & 138, and 9001 are seen to be used by WCry.
2. Apply the patch (MS17-010) to protect ALL of your Windows machines. This patch is for fixing the file sharing vulnerability, which is being exploited by WannaCry to cause mayhem. If you still have a few Windows XP machines, Good news! Today, Microsoft took an unusual step to release security updates to address flaws in unsupported Windows XP, Windows 8, and Windows Server 2003. You can find this patch at: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ And, for love of whatever you hold dear, upgrade those old machines!
3. Disable the outdated protocol SMBv1 and isolate/quarantine your un-patched systems. Software security tools such as BigFix can both patch and quarantine after all the mayhem created by a Microsoft file sharing vulnerability. Consider testing BigFix Detect, a behavior based endpoint detection tool for detection of just these types of malicious attacks.
4. Implement a robust data backup process that safeguards any data considered valuable or critical to the organization. Data backups must be stored offline—disconnected from the network—and tested regularly to confirm their integrity. Backup your data regularly!
5. If you have already been infected by WannaCry, check the Crypto Sheriff page at nomoreransom.org, upload one of the files encrypted by the ransomware, and the site will let you know if there is a solution available to unlock all of your files for free.