UPDATE: GLOBAL RANSOMWARE ALERT – WannaCry Ransomware

Update May 24, 2017:There are now reports of new variants using the same vulnerability exploited by the WannaCry attack. These variants (EternalRocks, Adylkuzz, UIWIX) are being spread directly from infected systems to exposed vulnerable systems.
Installing the MS17-010 patch for Windows is the only way to eliminate the vulnerabilities being actively exploited.If a system cannot be patched, then the next best alternative is to block or remove SMB services. It is no longer sufficient to simply disable only specific versions of SMB on Windows systems, as this has proven to be ineffective.

If a system cannot be patched, and SMB services cannot be blocked or removed, please contact us at security@ubc.ca for a risk assessment and threat mitigation recommendation.

A number of large organizations, such as Britain’s National Health Service—have been affected by a massive, global ransomware attack called WannaCry. This ransomware is spread by an unpatched vulnerability, identified by Microsoft as MS17-010, and demands a ransom of $300.

Emails with this ransomware may have subject lines such as:

Copy_[with Random Numbers],
Document_[with Random Numbers], Scan_[with Random Numbers],
File_[with Random Numbers]
PDF_[with Random Numbers]

This is not an exhaustive list. Please be extra cautious and do not open any emails that seem suspicious or unfamiliar no matter what the subject line is.

Severity

Critical

CVE

CVE-2017-0007
CVE-2017-0016
CVE-2017-0039
CVE-2017-0057
CVE-2017-0100
CVE-2017-0104
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148

Impacted platforms

All versions of Windows 2000 and prior are vulnerable and no patch is available
Windows XP with Service Pack 3 x86 KB4012598
Windows XP with Service Pack 2 x64 KB4012598
Windows XP Embedded with Service Pack 3 x86 KB4012598
Windows Vista with Service Pack 2 x86 KB4012598
Windows Vista with Service Pack 2 x64 KB4012598
Windows 7 with Service Pack 1 x86 KB4012212 or KB4012215
Windows 7 with Service Pack 1 x64 KB4012212 or KB4012215
Windows 8 x86 KB4012598
Windows 8 x64 KB4012598
Windows 8.1 x86 KB4012213 or KB4012216
Windows 8.1 x64 KB4012213 or KB4012216
Windows 10 x86 KB4012606
Windows 10 x64 KB4012606
Windows 10 version 1511 x86 KB4013198
Windows 10 version 1511 x64 KB4013198
Windows 10 version 1607 x86 KB4013429
Windows 10 version 1607 x64 KB4013429
Windows Server 2003 with Service Pack 2 x86 KB4012598
Windows Server 2003 with Service Pack 2 x64 KB401258
Windows Server 2008 with Service Pack 2 x86 KB4012598
Windows Server 2008 with Service Pack 2 x64 KB401258
Windows Server 2008 R2 with Service Pack 1 KB4012212 or KB4012215
Windows Server 2012 KB4012214 or KB4012217
Windows Server 2012 R2 KB4012213 or KB4012216
Windows Server 2016 KB4013429

Recommended actions

Please ensure your servers have the latest patches:

If patches are not available for a system and it cannot be protected via alternative controls, such as anti-malware, then it is recommended that SMB ports be blocked for the system until such time as it can be patched or additional controls applied to protect against infection.

Patching Guidance

Desktops and Laptops must be patched and running current anti-malware that provides protection
Servers that are vendor supported, and not end of life, must be patched
Servers that cannot be patched must block SMB via host-based or network firewalls
All servers must have up to date anti-malware protection

If in any doubt at all, please don’t hesitate to contact the UBC IT Service Desk at http://www.it.ubc.ca/helpdesk