WannaCry Malware Attack
On May 12, 2017, a malicious ransomware software called “WannaCrypt” affected many organizations around the world and the critical systems they depend on. Microsoft has been working around the clock to ensure they are taking all possible actions to protect their customers and their software. Once affected WannaCrypt encrypts all files it finds and renames them by appending “.WNCRY” to the file name. For example, if a file is named “picture.jpg”, the ransomware encrypts and renames to “picture.jpg.WNCRY”. Decrypting your data is only then possible if you pay a $300 ransom.
There are two scenarios in which WannaCry can enter into your systems:
- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality.
- Infection through SMB exploit when an unpatched computer can be addressed in other infected machines.
This blog entry will attempt to provide all the steps and guidelines to stay protected. Microsoft has also just released a security update specifically for windows platforms that are in custom support only, namely Windows XP, Windows 8, and Windows Server 2003. The Malware does not affect Windows 10 customers.
How to protect yourself:
- Ensure that you have the latest version of Windows (10) which will have the best security and proactive features to protect yourself. To get the latest protection from Microsoft, upgrade to Windows 10.
- Install security update MS17-010 as soon as possible.
- Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously (Reboot Required)
- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
- Enable Windows Defender Antivirus which will help detect the ransomware using cloud-based protection.
- Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
- Monitor your network with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities.
- Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook.
- For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
For any other queries visit the various Microsoft Security Centers:
- Microsoft Security Response Center Blog: http://blogs.technet.microsoft.com/msrc