Logo
 
 

WannaCry Ransomware Attack - Customer Advisory

 
 
 

A massive cyberattack has been spreading across the globe since Friday May 12th, hitting hundreds of thousands of computers and crippling major government and corporate operations. The malware is known as WannaCry. There have been widespread reports on Saturday that a security researcher had discovered a “kill switch” that stopped the ransomware from spreading, but that’s only partly true. The kill switch certainly slowed WannaCry down, but it only stopped some of the ways the malware could spread. Security researchers confirmed within hours that new versions of the malware had been detected which could not be stopped by the kill switch. Experts expect a new wave of infections as soon as Monday May 15th.

WannaCry is ransomware, a growing category of extremely heinous malware. Once it is activated on a machine, it encrypts the files on that machine so they are inaccessible. Then it instructs the owner to pay a ransom in Bitcoin in exchange, for unlocking the files.

You can read more about WannaCry here:

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Microsoft customer guidance note for WannaCry attack:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 

Broadly speaking, WannaCry exploits vulnerabilities in older Windows operating systems, including Windows XP. Microsoft issued a patch for those systems on Friday, but that didn’t stop it from hitting more than 200,000 machines in 150 countries that included dozens of large institutions and companies, including the U.K.'s National Health Service, China’s National Petroleum Corporation, and Renault factories in France.

Accelerite’s Endpoint products – Radia & Sentient – provide everything you need to keep your endpoints safe. This KB article details those vulnerabilities, what bulletins are required for which OS versions and the steps that Radia admins need to take to ensure that their endpoints are secure from this high severity attack.

Radia - ways to help protect your organization?

WannaCry ransomware mainly exploits the vulnerability present in the Microsoft’s implementation of Server Message Block (SMB) protocol. Microsoft released a fix for this vulnerability on March 14th 2017, addressed in MS17-010. Although this patch was released, delays in applying this security update can leave your endpoints vulnerable.

The patch binaries for different flavors of Windows Operating systems are present mainly in the following three bulletins:

Windows 10, Win2K12, Win2K16:

For Windows 10 branches, Win2k12 and Win2k16, MS17-006 is the bulletin needed to ensure that this vulnerability is taken care. If it was missed, please acquire the latest cumulative security updates for your respective Windows 10 branches, Win2k12, Win2k16 versions and patch your end points immediately.  You can find more details on MS17-006 here: https://technet.microsoft.com/en-us/library/security/ms17-006.aspx

Windows 7, 8.1, 2K8 R2:

For Win7, 8.1 and 2K8R2, where the patches are released cumulatively, acquire and apply the bulletin MS17-008. You can find more details on MS17-008 here: https://technet.microsoft.com/en-us/library/security/ms17-008.aspx

Win XPE, Win2K8, Vista:

For WinXP/XPE and Win2K8, acquire and apply the bulletin MS17-010. You can find more details on MS17-010 here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

WinXP:

For Windows XP, the KB article 4012598 is the fix for WannaCry attack. Since Wsusscn2.cab file does not contain patches for Windows XP anymore, Radia cannot patch XP endpoints. A link to download KB4012598 can be found at:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

You can validate the installation of the respective patches with the help of extensive Radia reports and confirm that all the endpoints are compliant and safe. The Radia team will always ensure that our customers’ infrastructure is in the most secure and compliant state.

Sentient - additional ways to help protect your organization?

Accelerite Sentient users have the added ability to detect key indicators in real time to assess the vulnerabilities and compliance status of your organizations endpoints. The Sentient product is available for download at https://accelerite.com/products/sentient/. Sentient provides a comprehensive way for enterprises to spot any potential vulnerability, which would put them at risk for a WannaCry ransomware attack and remediate the situation.

Detecting potential vulnerabilities and remediation

Security Patch Levels

The best way to stay safe is to ensure that all Microsoft Security Bulletins and critical patches have been installed. Sentient provides a convenient script to check for all relevant security bulletins (MS17-006, MS17-008, MS17-010 depending upon the actual OS versions encapsulating all the KB articles) across all your endpoints in a matter of seconds.

Remediation

Sentient provides a way to quickly remediate the situation by rolling out patches using your underlying operational tool e.g. Radia.

Detecting any potential attacks that might be imminent or underway

Sentient provides convenience scripts that will allow you to detect any indicators of compromise for this ransomware attack.

Services: Detect suspicious services like mssecsvc2.0, tasksche.exe and any other services with ImagePath mapped to tasksche.exe.

Registry Entries: Detect the following registry entries:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe”
  • HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”
  • HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”

Rogue Files: Find files that are likely to be present in the event of a compromise:

  • By filenames: @Please_read_me@.txt, tasksche.exe
  • By file extensions: .wnry, .wcry, wncry, wncrypt
  • By file hash: Known and published SHA-1 hashes

Alerts: Be alerted when any of the above rogue files are detected – even on machines that are already patched!

This is a fast developing situation and we aim to keep posting updates here to provide the best protection for all our customers. Please watch this space.

If you have any more questions, please write to us at support@accelerite.com.

 
Have more questions? Submit a request

Comments

  • Avatar
    James Longo

    While it is true WinXP, and Win2K3 are outside of the wsusscn2.cab file and are no longer supported via Radia Patch Manager by default, Radia Patch Manager can still patch Windows XP, and 2K3 using custom bulletins.

    I am currently using Radia Patch Manager to patch WinXP, Win2K3 systems in my lab, and have been working with several Radia customers to patch these OS's via Radia Patch Manager. Evergreen fully supports all third party patching, and extended OS patching via Radia Patch Manager.

  • Avatar
    James Longo

    Over the past few days I have been investigating an anomaly regarding the Win7 security only patch 4012212. Originally 4012212 and 4012215 were a part of MS17-006. This can be confirmed by looking in the MS17-006 bulletin if acquired before 3.28.17. Both Accelerite and Evergreen sent out patch Tuesday email alerts in March stating that MS17-006 was the security patch for Windows 7 and not MS17-008. Sometime on or after 3.28.17, and without any notification, or explanation, 4012212 was removed from MS17-006 and put into MS17-008. There was no notification from Microsost that a change to these bulletins was made either which is highly unusual, especially given the importance of these patches. 

    The original MS17-008 never contained 4012212 or several other kb numbers that are now present. It contains a single Win2k8 patch 3211306.

    When did Accelerite become aware of the changes made to MS17-006 and MS17-008? can you explain why 4012212 was moved from MS17-006 to MS17-008 without any notification?

    Also, Since MS17-006 still contains 4012215 it is still the security rollup for Win7 and not MS17-008 as stated in this article. 

     

    Here is the original Ms17-006 that everyone who acquire before 3.28 is using. 

     

     Bulletin  PopularitySeverityID=""  Type="Security Updates"  URL="http://support.microsoft.com/kb/4012217"  FAQURL="http://support.microsoft.com/kb/4012217"  Rating="Critical"  MitigationSeverityID=""  Win10ServiceBranches="1607 10240 1511"  Vendor="MICROSOFT"  Supported="Y"  ImpactSeverityID=""  SchemaVersion="1.0"  PreReqSeverityID=""  DateRevised="20170314"  Source="MICROSOFT UPDATE"  Name="MS17-006"  Title="Windows Security Updates (KB4012217)"  DatePosted="20170314"

    Product Name="Windows 7 (MU)" FixedInRelease="0" Tag="bfe5b177-a086-47a0-b102-097e4fa1f807">
    <Releases> <Release Name="Windows 7 (MU)" Tag="bfe5b177-a086-47a0-b102-097e4fa1f807">
    <Patch ISODATE="2017-03-05T19:09:40Z" VerifyCmdline="" MUI="" PatchURL="http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows6.1-kb4012215-x86_ca09bf90bc45a0e3d97f6713c4cd34b6025b8f69.cab" Architecture="" Reboot="Y" InstallCmdline="" Language="" MSSUSName="993de1f9-91c7-4e61-b390-cf55218282ee" ZRSCSIG="ca09bf90bc45a0e3d97f6713c4cd34b6025b8f69" DatePostedPatch="20170312T11:31:56Z" Rating="Critical" SupercededByBulletin="" SupercededByMSPatch="" ZRSCCFIL="windows6.1-kb4012215-x86.cab" MSSecureName="" OSVersion="" ObjectType="winnt.mupatch" Title="March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)" QNumber="4012215" OSSuite="" OSType="" Superceded="N" ProbeCmdline="" SIGTYPE="SHA1" ZRSCSIZE="93274953" Platform="winnt" WIN10SBR="NA" UninstallCmdline="" >
    <PatchSignature />
    </Patch>
    <Patch ISODATE="2017-03-05T19:11:18Z" VerifyCmdline="" MUI="" PatchURL="http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows6.1-kb4012215-x64_32b4fea523b485612207169fd592ca42c21c34fa.cab" Architecture="x64" Reboot="Y" InstallCmdline="" Language="" MSSUSName="d0743521-3706-4f17-a674-c681618862e9" ZRSCSIG="32b4fea523b485612207169fd592ca42c21c34fa" DatePostedPatch="20170312T11:31:17Z" Rating="Critical" SupercededByBulletin="" SupercededByMSPatch="" ZRSCCFIL="windows6.1-kb4012215-x64.cab" MSSecureName="" OSVersion="" ObjectType="winnt.mupatch" Title="March, 2017 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4012215)" QNumber="4012215" OSSuite="" OSType="" Superceded="N" ProbeCmdline="" SIGTYPE="SHA1" ZRSCSIZE="152696291" Platform="winnt" WIN10SBR="NA" UninstallCmdline="" >
    <PatchSignature />
    </Patch>
    <Patch ISODATE="2017-02-22T08:31:05Z" VerifyCmdline="" MUI="" PatchURL="http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_d4db8d28cb9497a104aec4ee28091faee6c8bb2c.cab" Architecture="x64" Reboot="Y" InstallCmdline="" Language="" MSSUSName="eedd0885-556f-4030-9800-7709a8f62bc6" ZRSCSIG="d4db8d28cb9497a104aec4ee28091faee6c8bb2c" DatePostedPatch="20170312T11:30:07Z" Rating="Critical" SupercededByBulletin="" SupercededByMSPatch="" ZRSCCFIL="windows6.1-kb4012212-x64.cab" MSSecureName="" OSVersion="" ObjectType="winnt.mupatch" Title="March, 2017 Security Only Quality Update for Windows 7 for x64-based Systems (KB4012212)" QNumber="4012212" OSSuite="" OSType="" Superceded="N" ProbeCmdline="" SIGTYPE="SHA1" ZRSCSIZE="34693009" Platform="winnt" WIN10SBR="NA" UninstallCmdline="" >

     

    Edited by James Longo
  • Avatar
    Billy McGinnity

    Hi Jim
    I have been looking into this and currently can only confirm that ms17-006 has changed on March 28th 2017 by looking at the
    April ms17-008.xml file to see that the kb4012212 patch was added\posted on "DatePostedPatch="20170328" to ms17-008
    At this moment I cannot explain why 4012212 was moved from MS17-006 to MS17-008 without any notification from Microsoft?

    For now, as per Microsoft's advisories, ms17-008 should be used for Windows 7 SP1 and Windows Server 2008 R2 SP1 to install kb4012212
    for remediation of: CVE-2017-0075, CVE-2017-0076, CVE-2017-0097 and CVE-2017-0099

    I will keep you updated as I look into this

 
Adding comment, please wait....

Provide Feedback on Article:

Subject:
Comments:*
Powered by Zendesk