fbpx

Ransomware WannaCry – Why You Are at Risk

15 May Ransomware WannaCry – Why You Are at Risk

malware

Over the weekend, a worldwide Ransomware infection spread quickly.  The Ransomware is utilizing the recently disclosed vulnerabilities in Windows software that allows a remote unauthenticated attacker to install software on a computer.  There have been widespread infections as reported by CNN and various news sources.  The attack utilizes the Microsoft vulnerability referenced in security bulletin MS17-010.  The vulnerability does have a patch available since March 2017.  Systems that are patched cannot be infected using the vulnerability.  However, other methods can still install Ransomware on a computer. 

 

 

Unlike typical Ransomware infections, this attack is utilizing a propagation method that allows for quicker deployment with no user interaction.  An infected computer on a local network can push the Ransomware to another computer on the local network as long as the remote computer is unpatched.  Additionally, infected computers try to connect to the public Internet to infect additional systems.

 

Antivirus vendors are releasing definitions to stop the current strain of the Ransomware.  However, if a computer was already infected this will not recover the ransomed files.  Additionally, the Ransomware uses a technique to avoid antivirus engines.  A killswitch was identified for the current version of the attack and was implemented globally.  The killswitch only works if the computer has Internet access during the time of the attack and if the user is using a proxy the killswitch may not work. 

 

Security researchers expect the Ransomware to be modified or for new variants and attacks to utilize the same Windows vulnerability.  If modified the antivirus mitigations and the killswitch may no longer be effective. 

 

At the beginning of this infection, Microsoft’s unsupported Operating Systems did not have a patch available.  Microsoft has decided to release patches for unsupported Operating Systems in order to mitigate this infection.  Microsoft’s unsupported Operating Systems are Windows XP, Windows 2003 and Windows 8.  However, the patches appear to require manual installation and will not be delivered through automatic Microsoft methods.    Earlier versions of Microsoft Operating Systems may also be affected but no patch has been offered for such versions.  Examples are Windows NT 4 and Windows 2000. 

 

Customers of Aware’s MSP – RMM service were patched over the last few months if the operating environment allowed patching.  Aware will also be patching MSP – RMM customers with unsupported Operating Systems manually. 

 

Customers of Aware’s MA Support Services will be contacted and patching assistance will be provided as part of the MA agreement.   

Related links. 

CNN news story, http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html

Microsoft related patch articles, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx#KBArticle and https://support.microsoft.com/en-us/help/4013389/title

Antivirus vendor write-up, https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware

Microsoft decides to release patches for unsupported Operating Systems, https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

CERT release, https://www.us-cert.gov/ncas/alerts/TA17-132A