Friday, May 12, 2017

Ransomware now comes in worm flavor

If you have SMBv1 in your enterprise, and haven't completed deploying MS17-010 (released in March), now would be a good time to expedite that. Multiple news outlets are reporting a widespread outbreak of the "WannaCry" ransomware. 

Ransomware is malware that encrypts all the data on a computer, holding it hostage until the victim pays a ransom fee. This particular attack is especially insidious because it acts as a "worm" - it spreads from computer to computer on its own, without any interaction from users.

The saving grace is that the vulnerability it exploits to spread, was fixed by Microsoft in March. Most home users are safe because Windows Updates apply automatically (yes, it's annoying to have a computer reboot when you do not want it to, but today you are thanking your lucky stars).

Some reports of note:

CCN-CERT, the computer emergency response team for Spain, first issued a warning (in Spanish) of this outbreak Friday morning.

Spanish telecommunications company Telef√≥nica reported (in Spanish) that they too have been affected.

The British Broadcasting Company has a running commentary on effects in the UK, and specifically the effects on the National Heathcare Service of the UK.

The Register reports that UK hospitals have effectively shutdown, and are not accepting new patients.

Global delivery company FedEx reported that it has been affected, but has not specified what locations or if deliveries have been interrupted. At least one FedEx customer reported Customer Service being unable to provide support due to server outages.

What can you do:

Home users by and large are not affected by this. If you follow the basic steps I recommend in (in particular, setting Windows to automatically install updates), Windows lomng ago installed the patch to protect you from this worm.

For corporate and small business readers:
  • Block TCP 445 and 135 inbound from the Internet
  • Install MS17-010 everywhere. Note that the April and May cumulative updates for Windows include this patch
  • Kill off SMBv1. SMB version 1 is a 30-year-old protocol that has outlived its usefulness. Every modern operating system - including all supported Windows variants, MacOS and OS X, and the Samba product for Linux file sharing, supports the newer v2 and v3 versions.

    SMBv1 can be disabled by creating or editing the following value in the Windows Registry:

    Name: SMB1
    Type: DWORD
    Value: 0

    Then run the following command to disable SMBv1 on the client side:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled

  • Block client-to-client SMB (TCP 445) traffic. Generally speaking, laptops don't need to map file shares of other laptops. Blocing lateral SMB traffic prevents this malware from spreading laptop-to-laptop. Then focus on patching your domain controllers and enterprise file servers - which genuinely do need to share services on TCP 445.
  • Run Windows Firewall and block inbound TCP 445 connections when on an untrusted network (public WiFi, for example).

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen