Posted by David Harley on May 13, 2017.
[I don’t usually do this, but in view of the potential seriousness of the issue, this article is digested from two articles already published on the AVIEN blog, where I maintain a number of ransomware-related resources.]
[Update: you may have seen that someone was able to ‘switch off’ the attack by registering a domain. (‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack.) While it sounds as if this bought the world some time, it doesn’t mean there won’t be further attacks. I still recommend that you patch if you can.]
[Further update: there are reports of further variants, including one which is alleged not to include a kill switch. That might not be an accurate report, but certainly no-one should be relying on the neutralization of kill-switch domains rather than patching. And if you have been caught out by the malware and were thinking of paying up, be warned that payment may not get your files back, according to Checkpoint: WannaCry – Paid Time Off? Analysis by Microsoft here. MS recommends that you update to Windows 10 (no comment…) and/or apply the MS17-010 update. If that’s not possible, they recommend that you:
Hat tip to Artem Baranov for links to further information.]
And the backstory…
It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…)
At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as a proactive measure. One thing that does seem clear is that systems that haven’t been patched against MS2017-010 are vulnerable to the ‘eternalblue’ exploit from the ShadowBroker NSA leak unless they have security software that blocks that exploit.
Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.
If you didn’t take advantage of the patch for Windows Vista, 7, 8.1 and later versions at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)
If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.
Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.
Kudos to Microsoft for going the extra mile…
David HarleySubmitted in: David Harley |