NHS ransomware
On Friday, May 12, 2017, around 11 AM ET/3PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world.
Until now, hundreds of thousands of Windows endpoints in 99 countries have been affected, with the highest numbers of infections in Russia, Ukraine, India and Taiwan. The killswitch domain identified a security researcher is blocked in Heimdal CORP and Heimdal PRO. A security tool we use to protect our customers. When the exploit starts to dial back to the C&Cs, Heimdal blocks it, along with known WannaCry samples and C&Cs, which stops the data encryption process.
Heimdal CORP also blocks exploit kits, malware-spreading domains, malicious traffic redirects and other elements that ransomware could use in cyber attacks.
Cyber criminals are using the EternalBlue exploit released by The Shadow Brokers on March 14, 2017. This exploit was patched the same day, when Microsoft issued a critical security update (Microsoft Security Bulletin MS17-010).
“This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
This update was intended to patch the exploit on: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, Windows Server 2016, Server Core installation option.
If you’re unsure whether your endpoints are updated to the latest version, you can run Microsoft Baseline Security Analyzer 2.3 (for IT Professionals) and discover which updates are missing. The tool also lists the missing updates by severity and potential impact.
Please know that you can only use this tool on one computer or a group of computers. If you want to cover your entire infrastructure, you should use your internal IPs and coordinate your updates so they start from the first vulnerability the tool reports.
A good idea is to also redo a centralized scan after applying the updates, to ensure that the right updates were triggered and installed.
If unpatched, the following Microsoft software is exposed to WannaCry attacks, as well as others that employ the same tactics:
Microsoft Windows Vista SP2
Microsoft Windows Server 2008 SP2 and R2 SP1
Microsoft Windows 7
Microsoft Windows 8.1
Microsoft Windows RT 8.1
Microsoft Windows Server 2012 and R2
Microsoft Windows 10
Microsoft Windows Server 2016
Microsoft Windows XP
Microsoft Windows Server 2003.
As always, our key advice is to keep software patched at all times, build a strong, proactive defensive layer and always have multiple backups of your data as a plan B along with Live Cloud back up’s. Most importantly ensure there is a hold on your backups so the script is not able to delete your files.
Should you have questions or need additional help, please contact us at help@orbital-it.com