Threats like WannaCry typically leverage social engineering or emails as the primary attack vectors; relying on users downloading and executing a malicious payload. However, in this case, the ransomware takes advantage of the SMB EternalBlue exploit code (a cyber weapon from the leaked NSA toolkit) exploiting a vulnerability in Microsoft Windows Server Message Block 1.0 vulnerabilit (CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. Microsoft has released a patch MS17-010 for this vulnerability on March 14, 2017.
Upon infection the WannaCry malware encrypts data files requiring users to pay for the password to unencrypt the files.
In order to remain protected against the WannaCry malware family and generally any malware, the following actions are recommended:
- Apply the latest patches and especially the MS17-010 released from Microsoft to all workstations and Windows Servers.
- Ensure that the Endpoint Protection mechanism has been updated with the latest signatures, specifically in this case the WannaCry malware family.
- Ensure that all endpoints are getting the latest signatures from the Antivirus Vendor
- Ensure that the Mail and Web Protection infrastructure is updated with the WannaCry signatures.
Encodes’ SOC has increased its readiness level since Friday 12/05 to ensure early warning and response for all our managed security services’ clients upon the detection of signs of possible infection. Our Enorasys™ platform has already been updated with special rulesets to identify WannaCry Indicators of Compromise (IoCs), and Encode Threat Labs are continuously hunting for new possible variants.