This attack exploits a vulnerability in SMBv1 (Microsoft Server Message Block 1.0). It is highly recommended to patch all systems and/or disable SMBv1. Alternatively, filter the corresponding ports.
Microsoft has released patches for affected software; this includes a Security Update for Windows XP SP3 (KB4012598).
Proactive measures for the WannaCry ransomware
- Patch & update all operating systems. Please see Reference 3 below (ms17-010).
- Disable SMBv1 everywhere else.
- Please see Microsoft Knowledge Base Article 2696547.
- (Retroactively to Friday, 12th of May) move all email messages with active code in attachments into a quarantine.
- Control all incoming executable files via the Web/Proxy infrastructure.
- Control returning laptops before Start-of-business on Monday, 15th of May.
- Inform all employees not to click on any hyperlinks or open attachments
Incident response to Crypto Ransomware
In the case of a detection, HEAnet recommends that you unplug / disconnect the infected systems from the network (do not forget any wireless connectivity).
If you have any further questions, please do not hesitate to contact noc@heanet.ie
References
