On Friday, May 12th our digital lives were disrupted by the latest cyberattack WannaCrypt a.k.a WannaCry, and was a reminder to everyone that Security continues to be a paramount agenda with every business and technology leader as they look to Digitally Transform their organizations. This new ransomware spreads like a worm and first surfaced in UK and Spain, and the quickly spread globally, blocking hospitals, businesses, governments, and computers at homes from their data unless they paid a ransom using Bitcoin. This malicious software exploits used in the attack were drawn from the exploits stolen from the National Security Agency (NSA) in the United States – which were publicly reported earlier this year.
This attack brought forward the importance of running a well secured infrastructure to protect against these zero day exploit situations which leveraged vulnerabilities that was FIXED by Microsoft one month prior i.e. on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. We understand organizations needs time to test their systems and applications before deploying the latest patches and updates, however we now have tools like System Center Configuration Manager (SCCM) and Microsoft Intune which provides the right solutions to manage these deployment lifecycle. Aboutxtreme offers fixed cost consulting offerings for SCCM, EMS and Optimized Desktops to help you get started and optimized on the solutions quickly.
Generally ransomware do not spread rapidly and leverage social engineering techniques to target customers, however, in this unique case, the ransomware attack vecotor perpetrators used well-known public SMB exploits for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems and does not affect Windows 10 operating systems.
If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. In other words, unlike in most malware infections, IT Administrators should NOT block these domains. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
Aboutxtreme has created a WannaCrypt: Health Check, our new Fixed Cost Services Offering to help professionals and organizations like yourself to better understand, protect. Contact our Business Development today on firstname.lastname@example.org and we will be happy to discuss it in detail.
Stay Safe and Secure!