Latest information on WannaCrypt Ransomware and How to Protect Against It (Shavlik Protect, Patch for Windows Server)

Version 14

     

    WannaCrypt (also known as WanaCrypt0r 2.0, WanaCry or Wcry) is an encryption-based ransomware attack, that started spreading globally on May 12th.

    The malware encrypts files on affected systems using AES and RSA encryption ciphers, meaning hackers can decrypt system files using a unique decryption key.

    WannaCrypt changes the computer's wallpaper with messages, asking the victim to download the decryptor from Dropbox and demanding hundreds in bitcoin to get their files back.

     

    Attack vector

     

    WannaCrypt uses multiple attack vectors:

     

    • The primary attack vector is distribution via e-mail. WannaCrypt uses social engineering or phishing techniques, relying on users to open and execute a malicious payload embedded within the e-mail. When opened by the user, the malware will install itself and start encrypting files immediately.
    • WannaCrypt will then try to spread within the network or over the internet, using exploit code for vulnerability CVE-2017-0145, which allows remote attackers to execute arbitrary code via crafted packets to an SMBv1 server, aka "Windows SMB Remote Code Execution Vulnerability". This vulnerability is only present in the SMB v1.0 protocol. Microsoft released a patch in March: Microsoft Security Bulletin MS17-010. For more information about this update, see Microsoft Knowledge Base Article 4013389.
    • All windows versions from Windows XP to Server 2016 are affected; all of these systems have SMBv1 enabled by default. Windows 10 is not affected. On May 13th, Microsoft released an emergency security patch for unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

     

    How to protect against WannaCrypt (and other) ransomware?

     

    • Keep your system Up-to-date: Shavlik Protect, Shavlik OEM (SDK) and Ivanti Patch for Windows Server, Update the XML to 2.0.2.2417 and deploy MS17-010 and ensure that the most recent bundles have been deployed. This was originally plugged in the March Patch Tuesday release so the following bulletins will resolve the vulnerability.
    • Content release 05/15/2017:
        • Updated MS17-010(Q4012598): Added patches for Windows 8, Windows XP and Windows Server 2003, Windows Vista, Windows Server 2008

    • May 2017 Patch Tuesday
        • MS17-05-MR7(Q4019264): Monthly Rollup for Windows 7 and 2008 R2: May 9, 2017
        • MS17-05-MR8(Q4019216): Monthly Rollup for Server 2012: May 9, 2017
        • MS17-05-MR81(Q4019215): Monthly Rollup for Windows 8.1 and 2012 R2: May 9, 2017
        • MS17-05-2K8(Q4018466): Security update for the Windows SMB Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017
    • March 2017 Patch Tuesday
        • SB17-002[MS17-010](Q4012212): March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
        • SB17-003[MS17-010](Q4012213): March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
        • SB17-004[MS17-010](Q4012214): March 2017 Security Only Quality Update for Windows Server 2012
    • Any of the Security Monthly Quality Rollup for the above Operating Systems from March 2017 and later will also remediate this as is shown below.

     

    Video demonstrating how to patch and report on the Wannacrypt vulnerabitity in Ivanti Patch for Windows Servers (Shavlik Protect)

     

     

     

    The following is a detailed list of all updates that that contain MS17-010. You do not need to install ALL of these updates. Any of these updates will fix the WannaCrypt vulnerability:

     

    Server 2012

     

    BulletinQnumber
    Description
    MS17-05-MR8

    Q4019216

    May 9, 2017—KB4019216 (Monthly Rollup)
    MSNS17-04-QP2012Q4015554April 18, 2017—KB4015554 (Preview of Monthly Rollup)
    MS17-MR8-04Q4015551April 11, 2017—KB4015551 (Monthly Rollup)
    QP17-003Q4012220March 21, 2017—KB4012220 (Preview of Monthly Rollup)
    CR17-004Q4012217March 14, 2017—KB4012217 (Monthly Rollup)
    SB17-004Q4012214March 14, 2017—KB4012214 (Security-only update)

     

    Windows 7 SP1 and Windows Server 2008 R2 SP1

     

    BulletinQnumber
    Description
    MS17-05-MR7Q4019264May 9, 2017—KB4019264 (Monthly Rollup)
    MSNS17-04-QP7Q4015552April 18, 2017—KB4015552 (Preview of Monthly Rollup)
    MS17-MR7-04Q4015549April 11, 2017—KB4015549 (Monthly Rollup)
    QP17-001Q4012218March 21, 2017—KB4012218 (Preview of Monthly Rollup)
    CR17-002Q4012215March 14, 2017—KB4012215 (Monthly Rollup)
    SB17-002Q4012212March 14, 2017—KB4012212 (Security-only Update)

     

    Windows 8.1 and Windows Server 2012 R2

     

    BulletinQnumberDescription
    MS17-05-MR81Q4019215May 9, 2017—KB4019215 (Monthly Rollup)
    MSNS17-04-QP8Q4015553April 18, 2017—KB4015553 (Preview of Monthly Rollup)
    MS17-MR81-04Q4015550April 11, 2017—KB4015550 (Monthly Rollup)
    QP17-002Q4012219April 11, 2017—KB4015550 (Monthly Rollup)
    CR17-003Q4012216March 14, 2017—KB4012216 (Monthly Rollup)
    SB17-003Q4012213March 14, 2017—KB4012213 (Security-only update)

     

    Legacy OS

     

    OSBulletin
    QnumberDescription
    Server 2008MS17-05-2K8Q4018466Security update for the Windows SMB Information Disclosure Vulnerability in Windows Server 2008: May 9, 2017
    Server 2008MS17-010Q4012598Description of the security update for Windows SMB Server: March 14, 2017
    Windows VistaMS17-010Q4012598Description of the security update for Windows SMB Server: March 14, 2017
    Windows 8MS17-010Q4012598Description of the security update for Windows SMB Server: March 14, 2017
    Windows XPMS17-010Q4012598Description of the security update for Windows SMB Server: March 14, 2017
    Windows Server 2003MS17-010Q4012598Description of the security update for Windows SMB Server: March 14, 2017

    If you encounter an error for decrypting your credentials or with the Shavlik Protect Console service stopping after updating to the latest content data, the workaround is to install .Net Framework 4.6.2 on the Protect console server.  For customer who cannot install .Net Framework 4.6.2, we are working on a fix that doesn't require this.  No ETA on this.

    • Beware of phishing: never open e-mail attachments from an untrusted sender or click on links within e-mails or documents without checking the source. Ivanti Anti-Virus can also scan incoming e-mail.
    • Regularly backup user data: create copies of all user data at regular times to prevent data loss, should a ransomware attack occur.
    • Enable Windows firewall: limit the spreading of ransomware within the corporate network by correctly configuring firewalls. Block access to SMB ports over the network and/or the Internet. The protocol operates on TCP ports 137, 139 and 445 and over UDP ports 137 and 138.
    • Block legacy protocols such as SMB v1: See the following article on how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Note: Windows XP only supported SMB v1).
    • Audit installed software and keep it up to date: malware often uses flaws in outdated software. Keep all installed software up to date, not only on end nodes but also in the data centre. Patch Manager will also detect vulnerabilities in many third-party software, other than the operating system.

     

    • Ivanti free 90 day offer: When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs.  Register for Ransomware Get Well Quick trial.

     

    Indicators of compromise

     

    WannaCrypt creates the following registry keys:

    • HKLM\SOFTWARE\WanaCrypt0r\wd = "<malware working directory>"
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random string> = "<malware working directory>\tasksche.exe"

     

    It will display a ransom message on the desktop wallpaper, by changing the following registry key:

    • HKCU\Control Panel\Desktop\Wallpaper: "<malware working directory>\@WanaDecryptor@.bmp"

     

    Files created in the malware's working directory:

    • %SystemRoot%\mssecsvc.exe
    • %SystemRoot%\tasksche.exe
    • %SystemRoot%\qeriuwjhrf
    • b.wnry
    • c.wnry
    • f.wnry
    • r.wnry
    • s.wnry
    • t.wnry
    • u.wnry
    • taskdl.exe
    • taskse.exe
    • 00000000.eky
    • 00000000.res
    • 00000000.pky
    • @WanaDecryptor@.exe
    • @Please_Read_Me@.txt
    • m.vbs
    • @WanaDecryptor@.exe.lnk
    • @WanaDecryptor@.bmp
    • 274901494632976.bat
    • taskdl.exe
    • Taskse.exe
    • Files with “.wnry” extension
    • Files with “.WNCRY” extension

     

    What if I'm compromised?

     

    Once ransomware has encrypted files, there is not much you can do. Sometimes, ransomware has been badly written and it has been possible - by reverse engineering their code - to find a way to decrypt the data.

    This does not seem to apply to WannaCrypt and we are unaware of a way to recover encrypted data at this time.

     

    One might ask if paying the ransom will really decrypt the files. Sometimes it will, but there is no guarantee.

    When Cryptolocker hit a few years ago, some users reported that they did get their data back after paying the ransom.

     

    More information: Webinars

     

    Live Updates on the Ransomware Attack from Our CISO, Director of Security and Chief Technologist

    May 15, 2017 - 9:00 PDT | 12:00 EDT | 17:00 BST | 18:00 CEST

    Ivanti Webinar Series

     

    Ransomware Update: New Threats, New Defenses

    September 14, 2016

    Stephen Brown, Director of Product Management, Ivanti

     

    Passive Protection Against Ransomware

    June 01, 2016

    Eran Livne, Principal Product Manager, Ivanti

    Statement regarding Ivanti's Own Environment

    To date, Ivanti has not detected the WannaCrypt malware in our environment.

    In advance of the threat, we took the following proactive steps to fortify our environment against these types of threats:

    • We verified that our AV is installed, up to date, and active on client devices and servers, both internal and cloud / customer-facing.
    • We verified that appropriate patches from Microsoft and third parties are installed and correctly configured in a timely manner.
    • Where appropriate, we use Application Control for whitelisting, privilege management, and system monitoring.
    • We constantly educate our employees on the risks of phishing, monitoring our incoming emails.
    • We leverage third-party tools to actively monitor email for ransomware and other malicious URLs.
    • We leverage third-party tools to monitor infestation and proliferation of malware in our internal and customer-facing IT environments.

    Since this threat emerged, we have taken the following additional steps:

    • We have educated our staff about this particular threat and reinforced the importance of not opening files or clicking on links from unknown sources.
    • We have verified that our network infrastructure does not block access to the kill switch URL.
    • We have audited our environment against all the above measures.

     

    Ivanti free 90 day offer

    When a global threat like WannaCrypt comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs.  Register for Ransomware Get Well Quick trial.

     

    Bookmark this page, we will add updates as they become available. Our patch content teams are currently working to include the emergency security patches in our patch content.