Emerging Global Ransomware Attack

Published on: May 17th, 2017

US-CERT has released a threat alert regarding a spreading global ransomware attack. There have been a number of reports of WannaCry ransomware from a number of different countries. The WannaCry ransomware may be exploiting an identified vulnerability in Microsoft operating systems. Microsoft released a patch as part of the March 2017 Security Rollup that addressed the vulnerability. If a resource has been updated with the March 2017 Security Rollup or later, then the vulnerability in question should be resolved. More information on this threat can be found at US-CERT.

Update 5/13/2017

1. MalwareBytes and Webroot have stated that they actively block ‘WannaCry’ attacks.

2. Continuum has whitelisted, effective immediately, additional Security Updates that were not included in the MS17-010 patches and one which was just published today by Microsoft, which will help prevent the attack:

KB4019216 — Windows 8 and Windows Server 2012
KB4019264 — Windows 7 and Windows 2008 R2
KB4019215 — Windows 8.1 and Windows 2012 R2
KB4012598 — Windows XP, Windows Server 2003, Windows 8, Windows XP Embedded

As a reminder, as long as your resources have installed either the March, April, or May 2017 Security Updates, they should be protected. Older Windows editions that were no longer supported by Microsoft now have a Security Update also available for them (KB4012598) that was just published by Microsoft on May 13, 2017.

To determine which resources are vulnerable, the best method is to use the “Last OS Current” date in Patches Home on the ITS Portal. If the date is prior to March 28, 2017, it is very likely vulnerable. If it is past March 28, then it should be protected.

To get those up-to-date, the fastest method is manually deploy these Security Updates by using the “Deploy Missing Patches” button on Patches Home in the ITS Portal or in the “Manual Patch Deployment” section. You must ensure those resources are also rebooted for those updates to take effect.

3. Microsoft has published additional guidance: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ This includes additional mitigation steps such as disabling Server Message Block (SMBv1) and separately downloadable Security Updates for Windows Server 2003, Windows XP, and Windows 8.

4. A further mitigation step is to verify that TCP port 445 is blocked on the perimeter firewalls. The current version of this ransomware only scans port 445 for vulnerable devices.