How is the "WannaCry" Malware spreading and how should users defend themselves from it?
WannaCry attacks are initiated using an SMBv1 remote code execution vulnerability in Microsoft Windows OS. The EternalBlue exploit has been patched by Microsoft on March 14 and made publicly available through the "Shadowbrokers dump" on April 14th, 2017. However, many companies and public organizations have not yet installed the patch to their systems. The Microsoft patches for legacy versions of Windows were released last week after the attack.
How to prevent WannaCry infection?
Make sure that all hosts have enabled endpoint anti-malware solutions.
Install the official Windows patch (MS17-010) https://technet.microsoft.com/en-us/library/security/ms17-010.aspx, which closes the SMB Server vulnerability used in this ransomware attack.
Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Make sure MS17-010 patches are installed.
Backup all important data to an external hard drive or cloud storage service.
More information here: https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world/
The ransomware is using a known, publicly disclosed exploit in SMBv1 (Server Message Block Version 1). It is an application level protocol used for sharing files and printers in a networked environment.
The SMBv1 protocol is commonly found in networked Windows environments, and includes operating systems such as Windows XP, Windows 7, 8, 8.1, and 10. Windows Vista and onward allow for the use of SMBv1, even though they support the improved SMBv2 and v3 protocols.
Those environments who do not use Microsoft's implementation, are unlikely to be affected by the exploit and related vulnerabilities. In addition, those environments that do not support SMBv1 are also not affected.
You can disable SMBv1 support, as per Microsoft's directions: https://support.microsoft.com/kb/2696547
Those running Windows 8.1 or Windows Server 2012 R2 and later can disable the support by removing the Windows Feature for "SMB1.0/CIFS File Sharing Support".
There are six major vulnerabilities in Microsoft's implementation of SMBv1. The first five (and more critical) are ones that allow for remote arbitrary code execution. The last one allows for "data disclosure". The ransomware leverages the first five vulnerabilities and exploits them.
Measures users/enterprises can take to mitigate this ransomware and others includes:
- Make sure systems are patched, the vulnerabilities were patched in March of 2017.
- Keep a recent backup of your system or critical user/business data.
- Use and maintain an anti-virus solution
- Use a backup scheme such as GFS (Grandfather, father, son).
- Remove the use or support of SMBv1 (see above).
- Segregate the network such that damage impact is lessened.
- Use a diverse set of systems and operating systems if possible.
Web Links:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
http://msdn.microsoft.com/en-us/library/aa365233(VS.85).aspx
http://www.eweek.com/security/wannacry-ransomware-attack-hits-victims-with-microsoft-smb-exploit
Cisco has posted an article on this that goes into more detail than any of the others I've seen. Their basic steps for prevention are as follows:
- Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
- In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
And at least based on that Microsoft bulletin, it would seem that this is a SMBv1 vulnerability, not SMBv2.