Friday, May 12, 2017

Ransomware now comes in worm flavor

If you have SMBv1 in your enterprise, and haven't completed deploying MS17-010 (released in March), now would be a good time to expedite that. Multiple news outlets are reporting a widespread outbreak of the "WannaCry" ransomware. 

Ransomware is malware that encrypts all the data on a computer, holding it hostage until the victim pays a ransom fee. This particular attack is especially insidious because it acts as a "worm" - it spreads from computer to computer on its own, without any interaction from users.

The saving grace is that the vulnerability it exploits to spread, was fixed by Microsoft in March. Most home users are safe because Windows Updates apply automatically (yes, it's annoying to have a computer reboot when you do not want it to, but today you are thanking your lucky stars).


Some reports of note:


CCN-CERT, the computer emergency response team for Spain, first issued a warning (in Spanish) of this outbreak Friday morning.

Spanish telecommunications company Telef√≥nica reported (in Spanish) that they too have been affected.

The British Broadcasting Company has a running commentary on effects in the UK, and specifically the effects on the National Heathcare Service of the UK.

The Register reports that UK hospitals have effectively shutdown, and are not accepting new patients.

Global delivery company FedEx reported that it has been affected, but has not specified what locations or if deliveries have been interrupted. At least one FedEx customer reported Customer Service being unable to provide support due to server outages.


What can you do:


Home users by and large are not affected by this. If you follow the basic steps I recommend in https://securityforrealpeople.com/cybertips (in particular, setting Windows to automatically install updates), Windows lomng ago installed the patch to protect you from this worm.

For corporate and small business readers:
  • Block TCP 445 and 135 inbound from the Internet
     
  • Install MS17-010 everywhere. Note that the April and May cumulative updates for Windows include this patch
     
  • Kill off SMBv1. SMB version 1 is a 30-year-old protocol that has outlived its usefulness. Every modern operating system - including all supported Windows variants, MacOS and OS X, and the Samba product for Linux file sharing, supports the newer v2 and v3 versions.

    SMBv1 can be disabled by creating or editing the following value in the Windows Registry:



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    Name: SMB1
    Type: DWORD
    Value: 0


    Then run the following command to disable SMBv1 on the client side:


    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled


  • Block client-to-client SMB (TCP 445) traffic. Generally speaking, laptops don't need to map file shares of other laptops. Blocing lateral SMB traffic prevents this malware from spreading laptop-to-laptop. Then focus on patching your domain controllers and enterprise file servers - which genuinely do need to share services on TCP 445.
     
  • Run Windows Firewall and block inbound TCP 445 connections when on an untrusted network (public WiFi, for example).

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

No comments:

Post a Comment

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.