How to protect yourself from the WannaCry ransomware virus attack


    This article was prepared in connection with a hacker attack of a massive nature on a global scale that could affect you. The consequences are really serious. Below you will find a brief description of the problem and a description of the main measures that must be taken to protect against the WannaCry family of cryptographic virus.

    WannaCry ransomware virus uses the Microsoft Windows MS17-010 vulnerability to execute malicious code and run the ransomware program on vulnerable PCs, then the virus offers to pay attackers about $ 300 to decrypt the data. The virus spread widely worldwide, having received active media coverage - Fontanka.ru , Gazeta.ru , RBC .

    This vulnerability affects PCs running Windows from XP to Windows 10 and Server 2016; official Microsoft vulnerability information can be found here and here .

    This vulnerability belongs to the Remote code execution class , which means that infection can be carried out from an already infected PC through a low-security network without ME segmentation - local networks, public networks, guest networks, as well as by launching malware received by mail or link form.

    Security

    measures What measures should be identified as effective to combat this virus:

    1. Make sure you have the latest Microsoft Windows updates installed that remove the MS17-010 vulnerability. You can find links to updates here , and also note that due to the unprecedented severity of this vulnerability - on May 13 updates for unsupported OSs (windowsXP, 2003 server, 2008 server) were released, you can download them here .

    2. Using IPS-class network security solutions, make sure you have installed updates that include identifying and compensating for network vulnerabilities. This vulnerability is described in the Check Point knowledge base here ; it is included in the IPS update dated March 14, 2017 Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0143). We also recommend that you check the internal traffic of key network segments using IPS, at least for a short time, until the probability of infection decreases.

    3. Due to the probability of changing the virus code, we recommend activating the AntiBot & Antivirus systems and emulating the launch of files coming from external sources by mail or the Internet. If you are a user of Check Point Security Gateways, then this system is Threat Emulation. Especially for companies that do not have this subscription, we offer to quickly issue it in a trial period of 30 days. In order to request a key that activates a fully functional subscription for your Check Point gateway, write to SOS@TSSOLUTION.RU by mail. For more information about file emulation systems, see here .

    Also block the transfer of password archives and activate the IPS signatures from the list:
    Microsoft Windows EternalBlue SMB Remote Code Execution
    Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0143)
    Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0144)
    Microsoft Windows SMB Remote Code Execution (MS17- 010: CVE-2017-0145)
    Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0146)
    Microsoft Windows SMB Information Disclosure (MS17-010: CVE-2017-0147)

    More recommendations and an example of a report on blocking the wannacry ransomware operation are here .

    Dear colleagues, based on experience with previous massive attacks, such as Heart Bleed, the Microsoft Windows MS17-010 vulnerability will be actively exploited over the next 30-40 days, do not delay countermeasures! Just in case, check the operation of your BackUp system.

    The risk is really great!

    UPD On Thursday, May 18, at 10:00 Moscow time, we invite you to a webinar about ransomware software and protection methods.

    The webinar is hosted by TS Solution and Sergey Nevstroyev, Check Point Threat Prevention Sales Manager Eastern Europe.
    We will address the following issues:
    • Attack #WannaCry
    • Scale and Current Status
    • Features
    • Mass factors

    Safety recommendations

    How to stay one step ahead and sleep peacefully
    • IPS + AM
    • SandBlast: Threat Emulation and Threat Extraction
    • SandBlast Agent: Anti-Ransomware
    • SandBlast Agent: Forensics
    • SandBlast Agent: Anti-Bot

    You can register by answering this letter, or by clicking on the registration link here .

    Only registered users can participate in the survey. Please come in.

    Have you already encountered the WannaCry ransomware?

    • 3% yes 27
    • 90.6% no 797
    • 4.8% encountered another ransomware 43
    • 1.3% encountered, but the current protection system worked well 12

    Also popular now: