WHAT WE KNOW SO FAR
A major ransomware attack broke on Friday May 12, affecting many organizations the world over, reportedly including major telcos, hospital systems and transportation providers. The attack has purportedly spread to some 150 countries around the world. This is the first ransomware worm to ever be seen in the wild. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.
WannaCry gets installed through a vulnerability in the Microsoft SMB protocol, not phishing or malvertising. SMB is a network protocol used to share files between computers. The reason WannaCry is particularly effective is that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement. The malware is particularly effective in environments with Windows XP machines, as it can scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.
On March 14, Microsoft released a security update to patch this vulnerability. While this protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally. This is particularly true of Win XP computers which are no longer supported by Microsoft, as well as the millions of computers globally running pirated software, which are (obviously) not automatically upgraded.
Please read the Cisco TALOS blog for the most up-to-date information on WannaCry: http://blog.talosintelligence.com/2017/05/wannacry.html.
HOW CISCO PROTECTS OUR CUSTOMERS
A defense-in-depth strategy is always the best approach to information security.
Remember, this is a vulnerability of Microsoft Windows and as such the following best practices are recommended to combat attacks based on Microsoft SMB:
To be clear, if the vulnerabilities aren’t patched, an organization will continue to be at risk for infection by this ransomware. However, the following Cisco Security products can limit the installation, spread, and execution of WannaCry:
There is likely to be variants of WannaCry in the coming days and weeks. While the current variant will be added to anti-virus signatures, the new variants have the best chance of being detected by the modern behavioral techniques in Cisco AMP.
CISCO RANSOMWARE SOLUTIONS - LEARN MORE
Cisco has a defense-in-depth architecture for protecting against ransomware, find out more here. We would suggest organizations take a look at the Ransomware Threat Defense solution. If your organization has impacted by this ransomware, you may wish to contact Cisco Security Services Incident Response / +1-844-831-7715 for support.