Ransomware Variant: “WannaCry / DoublePulsar”

1. WannaCry encrypts files on victims’ computers and adds a .WCRY file extension to them. Files on network drives are also affected.
2. Data will be unrecoverable due to encrypted by ransomware.

This ransomware takes advantage of a Windows vulnerability MS17-010 via SMBv1. Please take immediate action to apply Microsoft Security Patch released in Mar 2017 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

To save your computer from harms, please help to:

Firewall

1. Ensure latest signature has been applied on IPS.
2. Check if any security threat is reported.
3. Check if any unexpected ToR connection is found.

Windows Server

1. Same as Windows Client
2. Block incoming traffic to Port 445 in Windows Firewall if no SMB service is needed.

Windows Client

1. Ensure PC has up-to-date Windows updates.
2. Disable SMBv1 – https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
3. [Reminder] ‘System Watcher’ function should be enabled in Kaspersky anti-virus software. ‘System Watcher’ has a feature of rolling back any unwanted changes such as file encryption.
4. Ensure up-to-date anti-virus software.
5. Backup your files regularly and keep them in a separate and safe place.

If you are unable to install patches to any Windows machine, you can (1) turn off SMBv1 as a workaround and (2) apply patches asap.

A. 3 methods to deploy the hotfix:

You can choose any of below 3 methods to deploy ms17-010.

1. To use WSUS to deploy.
2. To use GPO deploy ms17-010 using startup/shutdown script via wusa.exe command:
   If already have the .msu file downloaded, can use below command to install. Need to use network path
   wusa.exe xxxx.msu /quiet
3. To use GPO deploy ms17-010 using startup/shutdown script via dism.exe command, if you have the .cab file. Use below command to install. Need to use network path
   DISM.exe /Online /Add-Package /PackagePath:xxx.cab
4. Note, you can convert .msu to .cab, can use below command. Need to specify a new folder for convert result.
   Expand –F:* c:\kb976571\Windows6.1-KB976571-v2-x64.msu c:\temp\976571

B. 3 Quick Workarounds about not to use SMBv1:

Since the virus is spread via SMBv1 protocol, so a quick workaround is to disable SMBv1. Here are 3 quick workarounds about not to use SMBv1. Details: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012.

1. To disable SMBv1 for client:
   sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
             sc.exe config mrxsmb10 start=disabled
   Restart is needed.
2. To disable SMBv1 for server:
             Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type
   DWORD -Value 0 -Force
   Or
             Registry subkey:
             HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
             Registry entry: SMB1
             Registry type: DWORD
             Registry value: 0
   Restart is needed.
3. To remove SMBv1 thoroughly:
   • For client operating systems:
     1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
     2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
     3. Restart the system.
   • For server operating systems:
     1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
     2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
     3. Restart the system.

ITSC has applied IP filtering to list of TOR (Threat of Release) sites.  Please report to ITSC if you (or users) can’t access to any legitimate websites.

As usual, ITSC is closely monitoring all our critical systems and infrastructure to ensure healthy and clean environment.

Although no incident report has been received by ITSC, we would like you to be vigilant.

Since Petya will start data encryption after system reboot, if user found their Windows hang suddenly and reboot (like the screen below), they should:

1. Turn off the computer IMMEDIATELY once the Windows Logo appears. Otherwise, the encryption process will be started.
2. Then, use the Live CD to boot the system, or unplug the hard disk and connect it to other computer for cleanup/create Kill-Switch and data backup.
3. DO NOT respond to any kidnapper by attempting payment and instead to report the incident to ITSC and the Police.

Note : Once the encryption process is completed, the data will be unrecoverable.

• Customer Guidance for WannaCrypt attacks – Microsoft
  https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
• Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks
  http://researchcenter.paloaltonetworks.com/2017/05/palo-alto-networks-protections-wanacrypt0r-attacks/
• How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
  https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
• Stay tuned at ITSC web site about Ransomware News
• https://en.m.wikipedia.org/wiki/DoublePulsar
• Information Security Best Practices