CONTACT US
A Microsoft Windows Operating System malware is now identified by anti-virus programs. The ransomware is codenamed EternalBlue.

Defending Your Organization Against the “WannaCry” Attack

Computer malware has quickly spread to more than 150 countries. Companies are at risk because of a Windows Operating System vulnerability within SMB services running on Port 445. Just having this Windows vulnerability unpatched can open the door to infection in a variety of ways. This affects all current and legacy versions of Windows operating systems. The risk is compounded because some companies are also forced to keep using older unsupported Windows operating systems to address network compatibility issues and suspend patching in their network.

Overview

Analysis indicates the attack, dubbed “WannaCry,” is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) was made available on the internet through the Shadow Brokers dump on April 14, 2017. Microsoft had released a patch in advance of the Shadow Brokers’ action on March 14. Unfortunately, it appears that many organizations have not yet installed the patch.   It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the EternalBlue exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.   Also, it quickly became apparent that as WannaCry was spreading to organizations running older, unsupported versions of Windows (such as Windows XP and Windows 8), they were unable to apply the update because Microsoft no longer supplies security patches for those versions of Windows. Microsoft took the unusual step of releasing a patch update yesterday.

Action Required

We continually advise our clients to patch their servers in a timely fashion and conduct penetration vulnerability assessments to identify system weaknesses, especially given the release by Shadow Brokers of NSA hacking tools within the last 90 days. This ransomware can also be delivered via email messages with attachments and downloadable links. Most anti-virus programs can now identify the malware; however, a new version will be released in anticipation of another attack given the limited effectiveness of the first attack which anti-virus may not readily detect in the second wave.    Based on our analysis of summaries related to the Shadow Brokers release of NSA tools back in April, the malware is codenamed WannaCry because it encrypts files with the extension “WCRY.” As always, advise your users not to click on any email they do not recognize and check your internal spam filters for increase blockage activity. Shutting down the SMB service on port 445 helps block the malware from downloading the virus to the computer to encrypt the files as well.   

Remediation Actions

  • Install the Microsoft patch released on March 14, 2017 immediately if you have not already done so. For those using older, no-longer-supported Windows OS versions like Windows XP or Windows 8, Microsoft took the unusual step of releasing a patch as well. Go to the Microsoft site to download the patch.
  • If patch was not installed, shut down port 445 SMB service temporarily to block the encryption mechanism if a computer is infected. Symantec Norton AV provides a tool on their website to help disable the service.
  • Immediately review backup procedures and archived data processes to permit quick recovery if infected and to avoid paying ransomware.

Nicholas Barone is a Consulting Services Group Director experienced in computer and network forensics, as well as and PHI, PII, and PCI related investigations.

* Required