The ransomware locks people out of their network and demands payment to allow them access to their information. BAE Systems is currently working alongside the NCSC (National Cyber Security Centre) in the UK, and other organisations within the security community, to investigate the incidences.
What we know
- The ransomware worm uses one of the “Shadowbroker” exploits identified earlier this year (MS17-010)
- Microsoft released a patch for this on the 14th March which corrects the vulnerability. However, unpatched machines are exposed to this attack.
- The ransomware worm is capable of getting into other parts of the network (lateral propagation) using this vulnerability.
- The way it gains access to the network has not been confirmed at this stage. It is likely to include (but not be limited to) emails containing malicious payloads. A malicious payload is the software designed to damage or destroy information on a computer.
- Whilst detection rules and indicators are available to find the ransomware, these alone will not prevent infection.
What we recommend to reduce your exposure
- Ensure Microsoft patch MS17-010 is applied to all vulnerable machines. For older machines (XP, 8 and Server 2003) go to: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- Block ports 137, 139, 445, 3389 and 9001 for inbound and outbound traffic to your network
- Disable SMBv1
- Ensure your antivirus is updated with the latest signature files (force updates if required)
- To prevent internal propagation in the event of an infection, you may consider blocking ports 445 and 3389 for internal traffic.
- On no account block: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. This site is reported to act as a kill switch for some variants, preventing encryption.
What to do if you’ve been infected
- Don’t pay the ransom. There is a strong possibility that the BitCoin address is non-unique which suggests that the propagators would not be able to tell who’s paying them and therefore have no intention of unlocking your data
- Rebuild your patched machine
- Restore from back-up
If you are concerned and would like to speak to one of our experts about your network defence please contact us on:
E: cyberresponse@baesystems.com
UK: 0808 168 6647
US: 1800 417-2155
International: +44 (0)1483 817491
E: cyberresponse@baesystems.com
UK: 0808 168 6647
US: 1800 417-2155
International: +44 (0)1483 817491