Ransomware - WannaCry

Here is what I know

1. If you have not updated your Windows, and it runs SMBv1, you are vulnerable.
2. Linux/Other OS seem not affected.
 
What is the attack vector(s) used by this?

Does it encrypt only the OS (system) drive/partition or any/all drives?
 
Propagates through email and exploits a vulnerability against specially crafted SMB v1 packets. MS has released patches to plug the vulnerability. Disabling SMB at network boundaries and installing the patch is the solution.

Disabling SMB is a short term solution, but the best thing people can do is move on to more secure OS.

My organisation has both 2000 and 2003 as well which cannot be upgraded due to. We were going to put these in separate vLANs with no internet connection - this will ensure ransomware block. But due to budget constraints - we have put them off for this year from last. Now, I expect it will get done ASAP. Or maybe not.
 
If it is a worm, then isolating SMB v1 systems to a vlan will help ?

Yes, since they will not be exposed to the main LAN. But it will defeat the purpose of a server, but it's for a small subset of users. We will also be removing internet from those systems, excluding emails only from our mail server and that too limited to our domain only.
 
I should say "isolating" SMB will just probably limit the spread not totally block it. Way to stop this is to patch systems and/or disable the SMB part altogether.

People should move to a secure OS. I would advocate using Zentyal and Nethserver as free drop in replacements for 2003 server.

Should you disable v1? Yes if you dont have any 2003 servers (we do). v2? When the time comes I guess.

We use SMBv3 as well, to take advantage of the multi channel feature.
 
I guess if the security updates are installed then no need to disable anything, right?

This ransomware is spreading only on Windows systems which haven't got the security patch installed I believe.
 
I guess if the security updates are installed then no need to disable anything, right?

This ransomware is spreading only on Windows systems which haven't got the security patch installed I believe.

Correct.

However, if per se Microsoft did not patch 2003 or if you are running something older like we are which is not patched, in such cases, isolating that segment is the best way forward. Also, blocking internet access will ensure that even we insert a pen drive with ransomware, it cannot connect, nor can it phone home. However, this is not an answer, but a temp solution. In our case, we have a software which is EOL, running, not generating enough revenue worth replacing.
 
Any specific details of the spread/extent of damage guys? Like does it encrypt entire partitions or Documents & settings types...
 
do i need to worry if i have updated windows 10 ? on windows update screen it says ur computer is updated. i do browse lot of shady sites.
 
Any specific details of the spread/extent of damage guys? Like does it encrypt entire partitions or Documents & settings types...
Though Russian hackers have been blamed for introducing this, it may be Chinese as well..
70282426a9d36871c0042dd8c56768c4.jpg

Can't vouch for the authenticity of the picture, shared as received
 
Back
Top