How to protect yourself from the attack of the encryption virus “WannaCry”

This article was prepared in connection with a mass hacker attack on a global scale that may affect you. The consequences are really serious. Below you will find a brief description of the problem and a description of the main measures that need to be taken to protect against the encryption virus of the WannaCry family.

The encryption virus WannaCry uses a Microsoft Windows MS17-010 vulnerability to execute malicious code and run an encryption program on vulnerable PCs, then the virus offers to pay about $ 300 to attackers to decrypt data. The virus has spread widely worldwide, having received active media coverage - Fontanka.ru , Gazeta.ru , RBC .

PCs with Windows OS from XP to Windows 10 and Server 2016 are affected by this vulnerability. You can read official information about Microsoft vulnerabilities here and here .

This vulnerability belongs to the Remote code execution class, which means that infection can be made from an already infected PC through a network with a low level of security without segmentation of the FW — local networks, public networks, guest networks, as well as by launching malware received by mail or as a link.
')
Security measures

What measures need to be identified as effective to combat this virus:

1. Make sure you have the latest Microsoft Windows updates installed that remove the MS17-010 vulnerability. You can find links to updates here , and also note that due to the unprecedented severity of this vulnerability - on May 13, updates were released for unsupported operating systems (windows XP, 2003 server, 2008 server) you can download them here .
   
   
2. Using IPS class network security solutions, make sure you have updates installed that include the detection and compensation of network vulnerabilities. The Check Point Knowledge Base describes this vulnerability here , it is included in the IPS update of March 14, 2017, Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0143). We also recommend setting up a scan of the internal traffic of key network segments using IPS, at least for a short time, until the probability of infection decreases.
   
   
3. Due to the likelihood of a virus code change, we recommend activating AntiBot & Antivirus systems and emulating startup files coming from external sources via mail or the Internet. If you are users of Check Point Security Gateways, then this system is Threat Emulation. Especially for companies that do not have this subscription, we offer to quickly issue it in the trial period of 30 days. In order to request a key activating a full-featured subscription for your Check Point gateway, write to SOS@TSSOLUTION.RU mail. You can read more about file emulation systems here , here and here .

Also block the transfer of password archives and activate IPS signatures from the list:

Microsoft Windows EternalBlue SMB Remote Code Execution
Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0143)
Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0144)
Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0145)
Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0146)
Microsoft Windows SMB Information Disclosure (MS17-010: CVE-2017-0147)

There are even more recommendations and an example of the wannacry cipher lockdown report here .

Dear colleagues, based on your experience with previous massive attacks, such as Heart Bleed, the Microsoft Windows MS17-010 vulnerability will be actively exploited over the next 30-40 days, do not postpone countermeasures! Just in case, check your BackUp system.

The risk is really big!

UPD. On Thursday, May 18, at 10.00 Moscow time, we invite you to a webinar on extortionate software and methods of protection.

The webinar is conducted by TS Solution and Sergey Nevstruev, Check Point Threat Prevention Sales Manager Eastern Europe.
We will address the following questions:

• #WannaCry attack
• Scale and current status
• Special features
• Mass factors

Safety advice

How to be a step ahead and sleep well

• IPS + AM
• SandBlast: Threat Emulation and Threat Extraction
• SandBlast Agent: Anti-Ransomware
• SandBlast Agent: Forensics
• SandBlast Agent: Anti-Bot

You can register by replying to this email, or by following the registration link here .