0 Replies Latest reply on May 17, 2017 9:02 AM by ryan.milczarek

    MS17-010 and protecting yourself from WCRY and its variants using EMSS

    ryan.milczarek SupportEmployee

      WannaCrypt (also known as WanaCrypt0r 2.0, WanaCry or Wcry) is an encryption-based ransomware attack, that started spreading globally on May 12th.  The malware encrypts files on affected systems using AES and RSA encryption ciphers, meaning hackers can decrypt system files using a unique decryption key.  WannaCrypt changes the computer's wallpaper with messages, asking the victim to download the decryptor from Dropbox and demanding hundreds in bitcoin to get their files back.

       

      How to protect against WannaCry

      Due to the change in the way Microsoft has been releasing the content ms17-010 has been included in the last 3 months cumulative content rollups.

       

      For March as and example they are included in:

      • March, 2017 Security Only Quality Update for Windows 7 (KB4012212)
      • March, 2017 Security Only Quality Update for Windows 7 x64 (KB4012212)
      • March, 2017 Security Only Quality Update for Windows 8.1 (KB4012213)
      • March, 2017 Security Only Quality Update for Windows 8.1 x64 (KB4012213)
      • March, 2017 Security Only Quality Update for Windows Server 2008 R2 x64 (KB4012212)
      • March, 2017 Security Only Quality Update for Windows Server 2012 (KB4012214)
      • March, 2017 Security Only Quality Update for Windows Server 2012 R2 (KB4012213)

       

      For May, the cumulative content start with 2017-05

       

      Keep your system Up-to-date using EMSS:

      In the console, navigate to Review > Vulnerabilities > Critical Vulnerabilities.

      You can set your filters to show like the screenshot below however you will need to set your filter to show applicable and not patched. 

      This is showing you the content for May. 

       

      For more details, see the below video:

       

       

      Once you select your content you would use deploy to launch your Deployment wizard and proceed with setting up a deployment. 

      • Beware of phishing: never open e-mail attachments from an untrusted sender or click on links within e-mails or documents without checking the source. Ivanti Anti-Viruscan can also scan incoming e-mail.
      • Regularly backup user data: create copies of all user data at regular times to prevent data loss, should a ransomware attack occur.
      • Enable Windows firewall: limit the spreading of ransomware within the corporate network by correctly configuring firewalls. Block access to SMB ports over the network and/or the Internet. The protocol operates on TCP ports 137, 139 and 445 and over UDP ports 137 and 138.
      • Block legacy protocols such as SMB v1: See the following article on how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Note: Windows XP only supported SMB v1).

       

      Indicators of compromise

      WannaCrypt creates the following registry keys:

      • HKLM\SOFTWARE\WanaCrypt0r\wd = "<malware working directory>"
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random string> = "<malware working directory>\tasksche.exe"

       

      It will display a ransom message on the desktop wallpaper, by changing the following registry key:

      • HKCU\Control Panel\Desktop\Wallpaper: "<malware working directory>\@WanaDecryptor@.bmp"

       

      Files created in the malware's working directory:

      • %SystemRoot%\mssecsvc.exe
      • %SystemRoot%\tasksche.exe
      • %SystemRoot%\qeriuwjhrf
      • b.wnry
      • c.wnry
      • f.wnry
      • r.wnry
      • s.wnry
      • t.wnry
      • u.wnry
      • taskdl.exe
      • taskse.exe
      • 00000000.eky
      • 00000000.res
      • 00000000.pky
      • @WanaDecryptor@.exe
      • @Please_Read_Me@.txt
      • m.vbs
      • @WanaDecryptor@.exe.lnk
      • @WanaDecryptor@.bmp
      • 274901494632976.bat
      • taskdl.exe
      • Taskse.exe
      • Files with “.wnry” extension
      • Files with “.WNCRY” extension

       

      What if I'm compromised?

      Once ransomware has encrypted files, there is not much you can do. Sometimes, ransomware has been badly written and it has been possible - by reverse engineering their code - to find a way to decrypt the data.

      This does not seem to apply to WannaCrypt and we are unaware of a way to recover encrypted data at this time.

       

      One might ask if paying the ransom will really decrypt the files. Sometimes it will, but there is no guarantee.

      When Cryptolocker hit a few years ago, some users reported that they did get their data back after paying the ransom.