How To Protect Against Wannacry Windows 7

Last Friday, May 12, a large-scale ransomware attack affected several organizations around the world, with more than than 200,000 infections in more 150 countries.

The malware, known equally 'WannaCry' has the capability to browse port TCP 445 (Server Message Block/SMB) spreading like a worm past exploiting CVE-2017-0147 (MS17-010) using the ETERNALBLUE modules and the DOUBLEPULSAR backstairs brought to the public by The Shadow Brokers group last April.

After compromise it volition encrypt files on the infected system and need a ransom between EUR 270 and EUR 550.

There are still no evidences on the initial vector of compromise. Some reports suggested that an email with a zip and/or pdf attachments led to WannaCry infections, simply all the emails analyzed were from a distribution entrada of the Jaff ransomware that occurred less than 24 hours before WannaCry first appeared and are non related.

A possible vector of compromise is via tcp/445 (SMB), since the malware employs a worm that exploits vulnerabilities in SMB, a machine exposing this service to the Internet, either in a corporate network or on a laptop organisation, could and so be used to infect systems inside a network due to either bad network partitioning or mobility of the users between domestic and corporate networks.

The malware consists of two components: a main component that contains the worm capability via SMB and a ransomware component (WannaCry itself). When the malware runs, it makes a asking to the domain world wide web[.] Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, in example information technology receives a valid HTTP response the worm component is not executed, preventing its dissemination. This domain functions as a "killswitch" and is thought to have been purposely placed by the author(s) to control the level of malware spread, preventing it from infecting other systems both local and on the Net if the domain is active.

In that location are three known Bitcoin wallets where the bribe payments are made. At 10:20 on May xv, these wallets accounted for a total of about  EUR 45,000, for an estimated of 187 payments made to the criminals.

How to protect against WannaCry Ransomware:

• Install the Windows security update for MS17-010 on all systems on the network. Microsoft made the aforementioned available for systems that are no longer supported, such equally Windows XP.
• Disable version one of SMB (SMBv1) in the Windows domain or on all Windows systems on the network.
• Do not block the domain www[.]Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Dissimilar normal, this domain prevents the worm from existence activated and the malware expects to receive a valid response from information technology so that it does not propagate to other systems on the local network or on the Internet.
• Because the domain is at present operated past researchers and non by criminals, you can allow traffic from infected systems to it pass through your network.
• If this is not an option, create a DNS zone for this domain and point it to an internal webserver that can return a valid HTTP response. This option should also be followed by those who have a non-transparent proxy on the network, since the malware does not work well through proxies and equally such will never receive a valid response.
• If you take systems already infected, do not pay the ransom, do not be part of the 0.0001% that is paying the criminals.

In general, proceed your systems up-to-date and perform backups on a regular basis. Prevention is still the best strategy to combat ransomware.

For more information on ransomware in general, visit the No More Bribe project .

Source: https://www.anubisnetworks.com/blog/how-to-protect-against-wannacry-ransomware

Posted by: taylorwashound.blogspot.com

Share this post