WannaCry / WanaCrypt0r2.0
As you are probably already aware of the massive worldwide cyber attack we hereby start with some initial information and recommendations. This page will be updated regularly to post new information. The SecureLink Cyber Defence Center is on high alert and monitoring this very closely. It is a ransomware attack which seem to spread very fast, also internally within a network via tcp port 445.
We have verified and can confirm that all our SecureProtect Endpoint customers were protected against this attack.
The malware is called WannaCry/WanaCrypt0r 2.0 which is also spread further via the SMB protocol. Microsoft has released a patch for this (MS17-010). For now we assume that this only affects Windows systems.
A first advice is to check whether the MS17-010 patch is installed, if not you should do this immediately.
If you have internal segmentation within your network you should temporarily block tcp port 445.
If you are already a victim then the advice is to:
- Isolate the infected devices from the network
- Restore backups and make sure that you installed the Microsoft patch before you connect the system again to the network
External information can be found here:
MS17-010: Security update for Windows SMB Server: March 14, 2017
Massive Ransomware Attack That’s Hitting World Right Now Uses NSA’s Exploit
WannaCry ransomware used in widespread attacks all over the world
Many media reported that a kill switch was found and that the attack was stopped. However SecureLink still recommends to continue applying the Microsoft patch if it hasn’t been done yet. The kill switch only stops the current version, it is very likely that updated versions will appear. What is also important to note is that the kill switch is not proxy aware, this means that companies that proxy DNS traffic should sinkhole the domain. The domain dp9ifjaposdfjhgosurijfaewrwergwea.com should be redirected to an internal webserver.
Microsoft also released patches for older OS’s:
Customer Guidance for WannaCrypt attacks