Ward Solutions Update II- Security Advisory Notice: Ransomware Wannacry

Security Advisory Notice – Ransomware Wannacry –Ward Solutions Update II
Issued by Ward Solutions Security Operations Centre
May 15, 2017

Following on from our Security Advisory Notice – Ransomware 12^th May 2017 we have additional vendor specific recommendations that may be applicable to your environment as listed below.

Microsoft

Ensure patched on MS17-010 and disable outdated protocol SMBv1.
Microsoft have taken the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.

Relevant links to patches via:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

McAfee

Create a custom access rule in AV to block *.wcry, *.wnry, *.wncryt and  *.wncry. extensions or create it on your email gateway/IPS so it quarantines all attachments with the *.wcry, *.wnry, *.wncryt and  *.wncry extension.

Firewalls / IPS

We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from eGov Networks):

197.231.221.221                128.31.0.39                         149.202.160.69
46.101.166.19                     91.121.65.179                     2.3.69.209
146.0.32.144                       50.7.161.218                       217.79.179.177
212.47.232.237                  81.30.158.223                     79.172.193.32
38.229.72.16

We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from various sources ie McAfee, Payload Security, Cisco Talos etc.):

104.131.84.119                  128.31.0.39                         136.243.176.148                146.0.32.144
163.172.153.12                  163.172.185.132                163.172.25.118                  163.172.35.247
171.25.193.9                       178.254.44.135                  178.62.173.203                  185.97.32.18
188.138.33.220                  188.166.23.127                  192.42.115.102                  193.23.244.244
198.199.64.217                  2.3.69.209                            212.47.232.237                  213.239.216.222
213.61.66.116                     213.61.66.116                     217.172.190.251                217.79.179.77
50.7.151.47                         51.255.41.65                       62.138.10.60                       62.138.7.231
82.94.251.227                     83.162.202.182                  83.169.6.12                         86.59.21.38
89.45.235.21                       94.23.173.93                       185.97.32.18                       136.243.176.148

Key Reminders:

As recent news indicates WannaCry may potentially change variant and continue to breach organisations defences so key reminders on the basics of protecting against ransomware:

• New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
• Keep operating systems and other software updated.
• Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments. Ensure all staff are reminded to be extra vigilant.
• Be extremely wary of any Microsoft Office email attachment that advises to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
• Backing up important data is the single most effective way of combating and recovering from a ransomware infection. Ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
• Isolate unpatched systems from the larger network.
• Ensure that access to files and fileshares is on a least privilege basis

What Makes WannaCry Notable

While WannaCry (WanaCrypt or Wcry) is ransomware that works like other malware of its type it has a few additional intricacies that highlight just how sophisticated Ransomware is becoming:

• Technically the WannaCry ransomware behaves like many other similar malwares but with the additional ability to leverage an SMB exploit to worm its way through a network and infect numerous users
• The Malware was a leaked exploit which often gives rise to malicious actors utilising them for ill gain as on this occasion
• The Malware uses strong symmetric encryption employing RSA 2048-bt cipher to encrypt files.
• The malwares architecture is modular so more than likely this malware is generated by a group rather than an individual actor.

Further information on the WannaCry Ransomware and how it works can be found at:
https://securityintelligence.com/wannacry-ransomware-spreads-across-the-globe-makes-organizations-wanna-cry-about-microsoft-vulnerability/

If you would like additional information or would like support in implementing preventative measures in your environment, please call us at +353 1 642 0100 or +44 (0) 28 9073 0188 e-mail us at support@ward.ie or sales@ward.ie, as appropriate.