Today reports was flooding the internet about an large scale ransomware campaign.
*** Update 2017-05-13 : Microsoft has put together a detailed post about the matter now since they have gotten the time to reverse the malware. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems
Microsoft has also released updates for Windows XP and 2003 Server that you can apply for the MS17-010 SMB Vulnerability KB4012598 http://www.catalog.update.microsoft.com/search.aspx?q=4012598
–his time the attack had a massive impact on the society – according to reports multiple hospitals was taken out of business in the UK with local files and network files encrypted.
The following picture from MalwareTech showing the infections which has an extreme hitrate
WannaCry infections (pic from malwaretech)
It’s using the NSA exploit leaked by Shadow Brokers (EternalBlue which uses a vulnerability in the SMB Protocol to spread.
This means that unpatched systems are spreading this ransomware internal on the network.
Initial infection is still not clear but most likley it’s a phishing campaing and we can’t really point out how important Security Awareness training is for your end users.
Mitigations (for this specific campaign)
- Office 365 ATP (Advanced Threat Protection)
Office 365 ATP
Protecting against unsafe attachments
all suspicious content goes through a real-time behavioral malware analysis that uses machne learning to evaluate the content for suspicious activities.
unsafe attachments are sandboxed in a detonation chamber before being sent to recipients
Protect your environment when users click malicious links.
The URL s are examined in real time when a user clicks them.
Office 365 ATP URL SCAN
One benefit is the reporting to so administrators can track which users clicked a link
- For further information about Office 365 ATP please visit https://products.office.com/en-us/exchange/online-email-threat-protection
- Security Awareness
- Most likley this started by an email (well multiple emails) but I assume someone clicked on a link named invoice or something else
Security awareness still very common to be overseen by secyurity teams and IT departments in general
We can’t simple protect against every bad thing by technical means and we need to raise the awareness for the end users.
Make sure to kick off a Security awareness program, This could be seminars, intranet information.
- Make sure you have network segmentation to avoid spreading
- Use a Local Firewall to block traffic usually there is no need to have SMB open against clients
- Access to critical assets
- Separation of duties
- Users should only have access to what they need
- Don’t set up a share where all users can read and write files from all departments
- Windows 10 Device guard
- Blocking untrusted code from executing. I bet this code wasn’t signed by a trusted certificate authority