WannaCry Update:
Everyone in the cluster will probably have heard about the recent Ransomware attacks on Friday and over the weekend which have largely affected the NHS in the UK (Although 300,000 infections in over 150 countries have been reported).  Those at exceptional risk are personal computers still running Windows XP without a critical patch

I’ve put together a few recommendations, graphics and  facts about WannaCry in case you had missed anything
Some Information Security technology companies are pointing to the initial attack vector being an encrypted Zip as an email attachment. This seemingly contained Javascript files that kicked off the WannaCry RansomWare.

Most of the anti-Malware companies have signatures issued yesterday evening and are blocking current version of WannaCry

Recommendations:

  • Make sure policies at the perimeter of networks are blocking encrypted attachments
  • During this current period of heightened threat, release of emails with encrypted attachments should not be permitted
  • Verify the anti-malware solutions deployed throughout the organisation have a signature, or detection string, for WannaCry
  • Verify that ALL endpoints, including portable devices and servers, are covered with the anti-malware solution and signatures are up to date
  • If one device on the network is not protected, it could be the entry point and then the SMB vulnerability could be exploited across the network and compromise ALL other computers not patched
  • Notification to all users on the risks of opening unexpected attachments, no matter how legitimate it looks
  • Where the MS17-010 patch has not already been deployed to all devices, it must be rolled out as a matter of extreme urgency
  • Given the publication of the exploit code recently, it was only a matter of time before WannaCry appeared to exploit the vulnerability. It is a fairly safe bet that there will be multiple new variants of WannaCry appearing in the short term. This will require new signature updates. This will be a continuous cycle  – an arms race…..
  • The initial vector of compromise will likely change as well – expect methods other than encrypted zip files as attack vectors
  • The following are the current known file extensions that are used when a file is encrypted. Where an organisation can alert on, or block the creation of, files of this type, please implement immediately. Microsoft File Server Resource Manager (FSRM) can apply these filters.
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

All existing recommendations to limit the threat of RansomWare still apply, especially the prohibition of use of privileged accounts to access email and Internet services

Attributed to Cambridge Cyber Cluster – Adrian Winckles