Ultima's Response to the Ransomware Incident:
Confused about what to do following the WannaCry ransomware attack? Our Head of Networking and Security, Martin Collins, has created this short video to help educate your teams on the next steps you should take as a company.
In light of the recent WannaCryptor Ransomware attack we wanted to offer you the reassurance of Ultima’s complete help and support should you require it. Members of the security team are available to offer you our thoughts and advice and will be happy to assist any members of your team in the remediation of the issue.
We strongly advise you take the following steps:
- Apply the patch published by Microsoft on all affected nodes of the network.
- Patches for non supported OS https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- Windows updates for supported OS https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
-
Ensure that AV and IPS inspections as well as web filtering engines are turned on to prevent the malware from being downloaded, and to ensure that web filtering is blocking communications back to the command and control servers.
Useful Information:
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source) – while this is a useful workaround to the current exploit, expect the malware to adjust to this in the very near future and ensure that vulnerable systems are fully protected as soon as possible.
Below are a list of helpful links and knowledge base articles from relevant technology vendors:
- Check Point: http://blog.checkpoint.com/2017/05/12/global-outbreak-wanacryptor/
- Cisco: http://blog.talosintelligence.com/2017/05/wannacry.html
- Symantec BlueCoat: https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
- Fortinet: http://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware
- Palo Alto: http://researchcenter.paloaltonetworks.com/2017/05/palo-alto-networks-protections-wanacrypt0r-attacks/
- Sophos: https://community.sophos.com/kb/en-us/126733
- Symantec: https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
- McAfee: https://securingtomorrow.mcafee.com/business/analysis-wannacry-ransomware-outbreak/
Customers requiring urgent assistance should contact Check Point’s incident response service:
UK Hotline: +44 (0)800-088-5471
Email: emergency-response@checkpoint.com
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
The Ultima Network & Security Team is prepared to support you with any requests, please reach out to us via email enquiries@ultima.com or contact your Account Manager directly.
For more details on the BBC News report, click here: http://www.bbc.co.uk/news/health-39899646