There have been many reports on the WannaCry attack (aka WannaCrypt, WannaCrypt0r 2.0, WannaDecryptor) since it broke out on Friday, May 12, 2017. Our support and professional services teams delivered notifications immediately on the following Monday to our managed services clients with detailed information for their environments, however, we want to ensure all of clients have fundamental information protect their environments.
What is WannaCry? This ransomware is encrypting infected systems and demanding payment to release control of the files.
How does it work? WannaCry takes advantage of vulnerabilities in Microsoft windows either through remote desktop protocol (RDP), or through exploitation of a critical Microsoft Server Message Block (SMB) vulnerability.
There are five essential WannaCry mitigations everyone should have in place:
• Install MS17-010: One way the Server Message Block (SMB) flaw can be fixed is to install the MS17-010 fix. Any systems running Windows that did not receive a patch should be removed from all networks.
• Install an emergency Windows patch: Microsoft issued one-off security fixes for three operating systems it no longer supports: Windows XP, Windows Server 2003 and Windows 8.
• Disable SMBv1: NCSC says that if it’s not possible to apply either patch, then disable SMBv1, referring to guidance from Microsoft.
• Block SMBv1: NCSC recommends that you block SMBv1 ports on network devices – UDP 137, 138 and TCP 139, 445.
• Shut down: If none of the above options are available, pull the plug. If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.