WannaCry Advisory

As you are most likely aware there is currently a major ransomware attack targeting UK and Europe. The U.K. NHS has been hit hard and the infection spreading indiscriminately across organizations including, telco's, banks and companies of all shapes and sizes across industry and commerce. 

We noticed an uptick in infections peaking at 5 PM Friday afternoon, this is intentional as it puts IT teams and defenders on the back foot as we head into the weekend.

We thought it best to give you some practical advise to reduce your risk of infection.

WannaCry ransomware is based on NSA exploits and tools recently released by ShadowBrokers, specifically the ETERNALBLUE exploit and DOUBLEPULSAR backdoor. Infection occurs either via a user opening a malicious file or automatically from the worm aspects of the malware.

Once infected machines start scanning for open SMB and RDP ports to infect other machines.

We advise the following:

- Immediately apply MS Security Update MS17-010
- If you still run NT,2000, 2003, or XP remove from your network or heavily segregate and monitor
- Block ALL external traffic on ports 445/139 & 3389
- Block and detect traffic to all TOR nodes
- Do not forget about remote worker laptops. If they bring an infected machine into the office, it will spread

Useful Links:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168