UPDATE: GLOBAL RANSOMWARE ALERT – WannaCry Ransomware

Update May 24, 2017:There are now reports of new variants using the same vulnerability exploited by the WannaCry attack. These variants (EternalRocks, Adylkuzz, UIWIX) are being spread directly from infected systems to exposed vulnerable systems.
Installing the MS17-010 patch for Windows is the only way to eliminate the vulnerabilities being actively exploited.

If a system cannot be patched, then the next best alternative is to block or remove SMB services. It is no longer sufficient to simply disable only specific versions of SMB on Windows systems, as this has proven to be ineffective.

If a system cannot be patched, and SMB services cannot be blocked or removed, please contact us at security@ubc.ca for a risk assessment and threat mitigation recommendation.

A number of large organizations, such as Britain’s National Health Service—have been affected by a massive, global ransomware attack called WannaCry. This ransomware is spread by an unpatched vulnerability, identified by Microsoft as MS17-010, and demands a ransom of $300.

Emails with this ransomware may have subject lines such as:

  • Copy_[with Random Numbers],
  • Document_[with Random Numbers], Scan_[with Random Numbers],
  • File_[with Random Numbers]
  • PDF_[with Random Numbers]

This is not an exhaustive list. Please be extra cautious and do not open any emails that seem suspicious or unfamiliar no matter what the subject line is.

 

Severity

Critical

 

CVE

  • CVE-2017-0007
  • CVE-2017-0016
  • CVE-2017-0039
  • CVE-2017-0057
  • CVE-2017-0100
  • CVE-2017-0104
  • CVE-2017-0143
  • CVE-2017-0144
  • CVE-2017-0145
  • CVE-2017-0146
  • CVE-2017-0147
  • CVE-2017-0148

Impacted platforms

  • All versions of Windows 2000 and prior are vulnerable and no patch is available
  • Windows XP with Service Pack 3 x86   KB4012598
  • Windows XP with Service Pack 2 x64   KB4012598
  • Windows XP Embedded with Service Pack 3 x86   KB4012598
  • Windows Vista with Service Pack 2 x86   KB4012598
  • Windows Vista with Service Pack 2 x64   KB4012598
  • Windows 7 with Service Pack 1 x86   KB4012212 or KB4012215
  • Windows 7 with Service Pack 1 x64   KB4012212 or KB4012215
  • Windows 8 x86 KB4012598
  • Windows 8 x64 KB4012598
  • Windows 8.1 x86 KB4012213 or KB4012216
  • Windows 8.1 x64 KB4012213 or KB4012216
  • Windows 10 x86  KB4012606
  • Windows 10 x64  KB4012606
  • Windows 10 version 1511 x86 KB4013198
  • Windows 10 version 1511 x64 KB4013198
  • Windows 10 version 1607 x86 KB4013429
  • Windows 10 version 1607 x64 KB4013429
  • Windows Server 2003 with Service Pack 2 x86 KB4012598
  • Windows Server 2003 with Service Pack 2 x64 KB401258
  • Windows Server 2008 with Service Pack 2 x86 KB4012598
  • Windows Server 2008 with Service Pack 2 x64 KB401258
  • Windows Server 2008 R2 with Service Pack 1  KB4012212 or KB4012215
  • Windows Server 2012 KB4012214 or KB4012217
  • Windows Server 2012 R2  KB4012213 or KB4012216
  • Windows Server 2016 KB4013429

Recommended actions

Please ensure your servers have the latest patches:

If patches are not available for a system and it cannot be protected via alternative controls, such as anti-malware, then it is recommended that SMB ports be blocked for the system until such time as it can be patched or additional controls applied to protect against infection.

 

Patching Guidance

  1. Desktops and Laptops must be patched and running current anti-malware that provides protection
  2. Servers that are vendor supported, and not end of life, must be patched
  3. Servers that cannot be patched must block SMB via host-based or network firewalls
  4. All servers must have up to date anti-malware protection

If in any doubt at all, please don’t hesitate to contact the UBC IT Service Desk at http://www.it.ubc.ca/helpdesk

More Information

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://technet.microsoft.com/en-us/library/security/ms17-012.aspx

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/

https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/

https://blog.malwarebytes.com/cybercrime/2017/05/wanacrypt0r-ransomware-hits-it-big-just-before-the-weekend/