Security Advisory Notice – Ransomware Wannacry –Ward Solutions Update II
Issued by Ward Solutions Security Operations Centre
May 15, 2017
Following on from our Security Advisory Notice – Ransomware 12th May 2017 we have additional vendor specific recommendations that may be applicable to your environment as listed below.
Microsoft
Ensure patched on MS17-010 and disable outdated protocol SMBv1.
Microsoft have taken the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.
Relevant links to patches via:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
McAfee
Create a custom access rule in AV to block *.wcry, *.wnry, *.wncryt and *.wncry. extensions or create it on your email gateway/IPS so it quarantines all attachments with the *.wcry, *.wnry, *.wncryt and *.wncry extension.
Firewalls / IPS
We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from eGov Networks):
197.231.221.221 128.31.0.39 149.202.160.69
46.101.166.19 91.121.65.179 2.3.69.209
146.0.32.144 50.7.161.218 217.79.179.177
212.47.232.237 81.30.158.223 79.172.193.32
38.229.72.16
We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from various sources ie McAfee, Payload Security, Cisco Talos etc.):
104.131.84.119 128.31.0.39 136.243.176.148 146.0.32.144
163.172.153.12 163.172.185.132 163.172.25.118 163.172.35.247
171.25.193.9 178.254.44.135 178.62.173.203 185.97.32.18
188.138.33.220 188.166.23.127 192.42.115.102 193.23.244.244
198.199.64.217 2.3.69.209 212.47.232.237 213.239.216.222
213.61.66.116 213.61.66.116 217.172.190.251 217.79.179.77
50.7.151.47 51.255.41.65 62.138.10.60 62.138.7.231
82.94.251.227 83.162.202.182 83.169.6.12 86.59.21.38
89.45.235.21 94.23.173.93 185.97.32.18 136.243.176.148
Key Reminders:
As recent news indicates WannaCry may potentially change variant and continue to breach organisations defences so key reminders on the basics of protecting against ransomware:
- New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
- Keep operating systems and other software updated.
- Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments. Ensure all staff are reminded to be extra vigilant.
- Be extremely wary of any Microsoft Office email attachment that advises to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- Backing up important data is the single most effective way of combating and recovering from a ransomware infection. Ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
- Isolate unpatched systems from the larger network.
- Ensure that access to files and fileshares is on a least privilege basis
What Makes WannaCry Notable
While WannaCry (WanaCrypt or Wcry) is ransomware that works like other malware of its type it has a few additional intricacies that highlight just how sophisticated Ransomware is becoming:
- Technically the WannaCry ransomware behaves like many other similar malwares but with the additional ability to leverage an SMB exploit to worm its way through a network and infect numerous users
- The Malware was a leaked exploit which often gives rise to malicious actors utilising them for ill gain as on this occasion
- The Malware uses strong symmetric encryption employing RSA 2048-bt cipher to encrypt files.
- The malwares architecture is modular so more than likely this malware is generated by a group rather than an individual actor.
Further information on the WannaCry Ransomware and how it works can be found at:
https://securityintelligence.com/wannacry-ransomware-spreads-across-the-globe-makes-organizations-wanna-cry-about-microsoft-vulnerability/
If you would like additional information or would like support in implementing preventative measures in your environment, please call us at +353 1 642 0100 or +44 (0) 28 9073 0188 e-mail us at support@ward.ie or sales@ward.ie, as appropriate.