The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
This ransom ware was first detected on 12-May-2017 and it is learned that more than 230,000 computers across 150 countries have been affected. It exploits a vulnerability (CVE-2017-0144) of Server Message Block (SMB) affecting Microsoft Windows System. The malicious software when introduced into the Microsoft Windows System attempts to exploit the mentioned SMB vulnerability. Once successful, the malicious software encrypts the data on computer’s hard drive making it inaccessible to the legitimate users of the computer. The ransom ware then provides an option to the owner of the affected system to pay a sum of money in Bitcoin in exchange for unlocking the files.
This ransom ware spreads through: •Malicious attachment through e-mails leveraging social engineering techniques. •Other infected computer systems in same LAN and through file sharing service.
The data on the infected computer system would become inaccessible to the legitimate user. The affected user is only left with two options to retrieve the data – pay a certain sum of money to decrypt the data or restore the data from backup if available.
Who is affected?
The following Microsoft Windows computer systems not patched with MS17-010: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016
•Conduct internal vulnerability assessment to discover Microsoft Windows computer systems that do not have MS17-010 patch applied. Apply this patch on affected systems.
•Update endpoint protection or anti-malware tool with hashes of WannaCry ransom ware to detect and remove the same.
•If available, enforce NAC policy to disallow systems (particularly mobile systems) which are non-compliant with above.
•Disable Microsoft Windows SMB/file sharing service or port (tcp 137, 139, 445 and UDP 137, 138) in firewall and L3 switch till you have applied security update on all affected systems.
•Block WannaCry keywords on the gateway.
•Conduct security awareness / give out advisories to your staff on ways of ransom ware spread and advise them not to open attachment or click on links on emails from unknown or suspected sources.
•Perform regular data backup.
•Implement security incident response and business continuity plan. Conduct regular reviews of the same.
System Affected/Related OS and Version:
This issue affects ft:server_message_block:1.0