20 Actions Against the WannaCry Malware Outbreak

WannaCry malware exploits a vulnerability in Microsoft Windows’ file sharing system known as MS17-010 (CVE-2017-0143,144,145,146,147,148). Although the initial spread occurred via email, it is capable of propagating not just vertically via emails but also horizontally through infected systems using SMB.

This malware began spreading on Friday, May 12, 2017, and kept cybersecurity researchers busy throughout the weekend, encrypting files on infected computers and demanding ransom.

It is reported that the vulnerability exploited by the malware was first discovered in the NSA’s cyber arsenal under the codename “Equation Group ETERNALBLUE” and was later exposed by a group called Shadow Brokers. Microsoft had released a security update addressing the vulnerability in March 2017.

Once the malware runs, it follows these steps:

– It checks a killswitch address to stop spreading. If the killswitch hasn’t been triggered by the attacker, it continues.

– Deletes shadow copies and restore points.

– Registers itself using seemingly innocent names like tasksche.exe and mssecsvc.exe.

– Scans the disk and gains full access to all files.

– Encrypts over 100 file types.

– Launches the Tor anonymous internet network and connects to its central command & control (C&C) server.

– Displays warnings on the screen about the encrypted files and demands ransom.

Labris UTM products have implemented necessary protections against the malware via anti-malware, IPS, and web filtering modules: Labris UTM

We recommend the following steps for IT departments to counter this malware:

Short-Term Measures:

1- If possible, disable SMB access (TCP 139, 445) between internal network computers. You can use ACLs on core and edge switches for this purpose. Keep in mind this configuration may block file sharing via network shares.

2- Ensure that your email and web filtering systems are using updated protection databases. If possible, rescan emails received over the weekend.

3- Make sure your antivirus and endpoint security systems are up-to-date. Restrict internet access via policy for machines with outdated virus databases.

4- Ensure all Windows systems have the latest updates installed. Disconnect and stop using unlicensed systems that cannot receive updates.

MS17-010 updates for specific OS versions can be found here:
http://imgur.com/gallery/Hl9Kt
Microsoft’s official page:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

5- Disable SMBv1 on your computers.

Instructions for disabling SMBv1 are available at:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

More detailed guidance:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

6- Block TCP 139, 445 and UDP 137-138 both inbound and outbound at the network gateway. These ports should not be open in secure environments and can be hardened through a SOC (Security Operations Center).

7- Inform end users about malicious email spread and ask them not to open unexpected messages.

8- Check your backups. Complete missing backups for critical systems.

9- Isolate systems flagged as infected by gateway security or central antivirus systems from the network.

10- Inform EGM Cyber Crime Units about infected systems and follow their guidance.

11- If you have a sample of the malware, share it with
security@labrisnetworks.com,
ihbar@usom.gov.tr, and
virustotal.com

Medium to Long-Term Measures:

12- Strengthen your malicious email protection infrastructure.

13- Review your update policies. This vulnerability was patched two months ago.

14- Conduct regular scans with vulnerability assessment tools to ensure no systems are left unpatched.

15- Review your backup policies. Ensure that backups are not easily accessible on the network. Future ransomware variants may target backups too. See:
Labris SOC 2017 Cybersecurity Report

16- Enhance your users’ Cybersecurity Awareness. See:
GuvenliWeb

17- Review your incident response teams (CERT), Security Operations Center (SOC), and Business Continuity policies. After the event, analyze: “What did we do well? What went wrong?” Improve the good, stop the bad.

18- Plan network segmentation to isolate infections within smaller network zones.

19- Do not use legacy or unpatched operating systems.

20- Consider adopting Linux where appropriate.

Related Links:
https://www.usom.gov.tr/tehdit/209.html
https://www.us-cert.gov/ncas/alerts/TA17-132A
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
https://www.engadget.com/2017/04/15/microsoft-says-it-already-patched-several-shadow-brokers-nsa-l/