Informational Alert – WannaCrypt Ransomware Attacks

2017-12-07T12:18:39+00:00 May 15th, 2017|Azure, biz, Cloud, News, Windows|

Summary

On Friday people around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. risual Managed Services worked throughout the weekend to ensure we understood the attack and were taking all possible actions to protect our customers. We are using the MSRC blog – Customer Guidance for WannaCrypt attacks to help customers respond to this latest threat.

The first and most important piece of guidance is to immediately deploy the security update associated with Microsoft Security Bulletin MS17-010, if you have not done so already to all servers and clients. Customers that have automatic updates enabled or have deployed this update are already protected from the vulnerability these attacks are trying to exploit. We have developed a PowerShell script that can be run against your estate to identify any machines that are not holding the required updates to protect against this exploit – please note we provide no assurance around this script it is offered as a tool to assist but cannot prevent this exploit. We have been in touch with customers whom we perform updates for and advised them accordingly of their risk levels. Please get in touch if you have any queries around these

Malware Detection

Windows Defender, System Center Endpoint Protection, and Forefront Endpoint Protection detect this threat family as Ransom:Win32/WannaCrypt.

In addition, the free Microsoft Safety Scanner http://www.microsoft.com/security/scanner/ is designed to detect this threat as well as many others.

Recommendations

Review the Microsoft Security Response Center (MSRC) blog at Customer Guidance for WannaCrypt Attacks for an overview of the issue, details of the malware, suggested actions, and links to additional resources.

Keep systems up-to-date. Specifically, for this issue, ensure Microsoft Security Bulletin MS17-010 Security Update for Microsoft Windows SMB Server is installed.

rMS can advise on a number of Microsoft features that can aid in the prevention of the spread of this exploit, such as:

Office 365 Safe Links – https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx

Office 365 Safe Attachments – https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx

Windows File Server Resource Manager – https://technet.microsoft.com/en-us/library/cc754810(v=ws.10).aspx – this can help protect file servers from particular extensions.

SCCM Software Inventory Feature / File reporting feature can help identify if file extensions are present – rMS are in the process of testing this and can advise further if required.

If you have any questions regarding this alert, please contact rMS Support or your Service Delivery Manager (SDM) on +443003032044 or email to rMS Support.