A massive cyberattack has been spreading across the globe since Friday May 12th, hitting hundreds of thousands of computers and crippling major government and corporate operations. The malware is known as WannaCry. There have been widespread reports on Saturday that a security researcher had discovered a “kill switch” that stopped the ransomware from spreading, but that’s only partly true. The kill switch certainly slowed WannaCry down, but it only stopped some of the ways the malware could spread. Security researchers confirmed within hours that new versions of the malware had been detected which could not be stopped by the kill switch. Experts expect a new wave of infections as soon as Monday May 15th.
WannaCry is ransomware, a growing category of extremely heinous malware. Once it is activated on a machine, it encrypts the files on that machine so they are inaccessible. Then it instructs the owner to pay a ransom in Bitcoin in exchange, for unlocking the files.
You can read more about WannaCry here:
Microsoft customer guidance note for WannaCry attack:
Broadly speaking, WannaCry exploits vulnerabilities in older Windows operating systems, including Windows XP. Microsoft issued a patch for those systems on Friday, but that didn’t stop it from hitting more than 200,000 machines in 150 countries that included dozens of large institutions and companies, including the U.K.'s National Health Service, China’s National Petroleum Corporation, and Renault factories in France.
Accelerite’s Endpoint products – Radia & Sentient – provide everything you need to keep your endpoints safe. This KB article details those vulnerabilities, what bulletins are required for which OS versions and the steps that Radia admins need to take to ensure that their endpoints are secure from this high severity attack.
Radia - ways to help protect your organization?
WannaCry ransomware mainly exploits the vulnerability present in the Microsoft’s implementation of Server Message Block (SMB) protocol. Microsoft released a fix for this vulnerability on March 14th 2017, addressed in MS17-010. Although this patch was released, delays in applying this security update can leave your endpoints vulnerable.
The patch binaries for different flavors of Windows Operating systems are present mainly in the following three bulletins:
Windows 10, Win2K12, Win2K16:
For Windows 10 branches, Win2k12 and Win2k16, MS17-006 is the bulletin needed to ensure that this vulnerability is taken care. If it was missed, please acquire the latest cumulative security updates for your respective Windows 10 branches, Win2k12, Win2k16 versions and patch your end points immediately. You can find more details on MS17-006 here: https://technet.microsoft.com/en-us/library/security/ms17-006.aspx
Windows 7, 8.1, 2K8 R2:
For Win7, 8.1 and 2K8R2, where the patches are released cumulatively, acquire and apply the bulletin MS17-008. You can find more details on MS17-008 here: https://technet.microsoft.com/en-us/library/security/ms17-008.aspx
Win XPE, Win2K8, Vista:
For WinXP/XPE and Win2K8, acquire and apply the bulletin MS17-010. You can find more details on MS17-010 here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
For Windows XP, the KB article 4012598 is the fix for WannaCry attack. Since Wsusscn2.cab file does not contain patches for Windows XP anymore, Radia cannot patch XP endpoints. A link to download KB4012598 can be found at:
You can validate the installation of the respective patches with the help of extensive Radia reports and confirm that all the endpoints are compliant and safe. The Radia team will always ensure that our customers’ infrastructure is in the most secure and compliant state.
Sentient - additional ways to help protect your organization?
Accelerite Sentient users have the added ability to detect key indicators in real time to assess the vulnerabilities and compliance status of your organizations endpoints. The Sentient product is available for download at https://accelerite.com/products/sentient/. Sentient provides a comprehensive way for enterprises to spot any potential vulnerability, which would put them at risk for a WannaCry ransomware attack and remediate the situation.
Detecting potential vulnerabilities and remediation
Security Patch Levels
The best way to stay safe is to ensure that all Microsoft Security Bulletins and critical patches have been installed. Sentient provides a convenient script to check for all relevant security bulletins (MS17-006, MS17-008, MS17-010 depending upon the actual OS versions encapsulating all the KB articles) across all your endpoints in a matter of seconds.
Sentient provides a way to quickly remediate the situation by rolling out patches using your underlying operational tool e.g. Radia.
Detecting any potential attacks that might be imminent or underway
Sentient provides convenience scripts that will allow you to detect any indicators of compromise for this ransomware attack.
Services: Detect suspicious services like mssecsvc2.0, tasksche.exe and any other services with ImagePath mapped to tasksche.exe.
Registry Entries: Detect the following registry entries:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe”
- HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”
- HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”
Rogue Files: Find files that are likely to be present in the event of a compromise:
- By filenames: @Please_read_me@.txt, tasksche.exe
- By file extensions: .wnry, .wcry, wncry, wncrypt
- By file hash: Known and published SHA-1 hashes
Alerts: Be alerted when any of the above rogue files are detected – even on machines that are already patched!
This is a fast developing situation and we aim to keep posting updates here to provide the best protection for all our customers. Please watch this space.
If you have any more questions, please write to us at firstname.lastname@example.org.