QUOTE OF THE DAY
“Microsoft’s mission is to empower every person and organization on the planet to achieve more — [that] is what drives all of our technology innovation agenda, how we interact with our customers and partner with our ecosystem,” Satya Nadella
Microsoft handled the WannaCry Crisis rather well.
WHAT WAS DONE TO HELP WINDOWS USERS?
The “WannaCrypt” – being referred to as WannaCry by and large – attack sent shock waves across the world this past week. Affected Victims were using older versions of Windows. More specifically Windows 7, 8, XP, or Vista. However, Microsoft went into damage control mode promptly and could alert and help users timely to avert a more pervasive outbreak.
“If you are using Windows Vista, 7, 8.1 & 10: In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Security Update enabled are protected against attacks on this vulnerability.
For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010. (MS17-010 Security Update can be downloaded here.)
Activate Windows Defender: For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider whether they are protected.”
~Excerpt from Microsoft’s official NL
WHAT ABOUT THOSE WHO ARE USING OLDER VERSIONS?
Although Microsoft has stopped releasing updates for older Windows versions like XP and Vista, gauging the gravity of the WannaCry Virus, the company released Emergency Updates for older versions as well.
Security Update for platforms in custom support (only) were released. Windows XP, Windows 8 and Windows Server 2003 (applies to Windows 2003 R2 as well) Security Updates are broadly available for download here.
Apprehending that the attack ‘may evolve over time’, Microsoft advised users to use ‘additional defense-in-depth strategies’ too.
“…to further protect againstSMBv1 attacks, customers should consider blocking legacy protocols on their networks). Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources.”
~Excerpt from Microsoft’s official NL
WILL THE SECURITY PATCH PREVENT FUTURE RANSOMWARE ATTACKS?
No. Like we have mentioned in our previous posts, a Ransomware attack can neither be prevented or intercepted. However, in this case, applying the MS17-010 ensures that the infection doesn’t spread. But it won’t give you protection against being attacked or infected through WannaCry or other Ransomware.
HOW CAN THE INFECTION BE STOPPED FROM SPREADING?
Microsoft reported that the WannaCry malware is using Social Engineering to target companies and categorically asked companies to warn users to not open, click or enable macros on email reception.
It also asked companies to verify the signatures were up-to-date, along with patching the Windows systems. Further it urged companies to ensure that users/employees ‘have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Microsoft also added “where an attachment opening offers the execution of an application, users must under no circumstances should accept the execution and in doubt, users should you consult and/or consult the administrator.”
HOW DOES WANNACRY PROLIFERATE THROUGH SMB?
The Ransomware exploits a vulnerability in the Windows Server Message Block (SMB) file sharing protocol. It spreads to unpatched devices directly connected to the internet and once inside an organization, those machines and devices behind the firewall as well.
Therefore, disabling the SMB v1 Server (LanmanServer) on all the machines of your company will protect you from the vulnerability. However, to disable/remove SMBV1 should be done carefully. Click here to know more about disabling SMB v1. However, there’s no need to disable SMB v1 client (Lanmanworkstation).
WHAT ABOUT WINDOWS 10 USERS?
The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack as of now. However, Windows 10 users were targeted during the later stages of the attack. Thus, Windows 10 systems also need to be patched, because variants can be developed. In addition to this, Microsoft also recommended the removal of SMBv1 from the clients and Windows servers, after doing a complete review of the SMB v1 removal link (see above).