Guidance for customers: Wanacrypt0r ransomware

What we know

• The ransomware worm uses one of the “Shadowbroker” exploits identified earlier this year (MS17-010)
• Microsoft released a patch for this on the 14th March which corrects the vulnerability. However, unpatched machines are exposed to this attack. 
• The ransomware worm is capable of getting into other parts of the network (lateral propagation) using this vulnerability.
• The way it gains access to the network has not been confirmed at this stage. It is likely to include (but not be limited to) emails containing malicious payloads. A malicious payload is the software designed to damage or destroy information on a computer.
• Whilst detection rules and indicators are available to find the ransomware, these alone will not prevent infection.

What we recommend to reduce your exposure

• Ensure Microsoft patch MS17-010 is applied to all vulnerable machines. For older machines (XP, 8 and Server 2003) go to: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/  
• Block ports 137, 139, 445, 3389 and 9001 for inbound and outbound traffic to your network
• Disable SMBv1
• Ensure your antivirus is updated with the latest signature files (force updates if required)
• To prevent internal propagation in the event of an infection, you may consider blocking ports 445 and 3389 for internal traffic.
• On no account block: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. This site is reported to act as a kill switch for some variants, preventing encryption.

What to do if you’ve been infected

• Don’t pay the ransom. There is a strong possibility that the BitCoin address is non-unique which suggests that the propagators would not be able to tell who’s paying them and therefore have no intention of unlocking your data
• Rebuild your patched machine
• Restore from back-up