thinkCSC has been closely tracking a global ransomware attack called “WannaCry” that was initiated last Friday and has impacted organizations in at least 150 countries. The attack began in the UK, shutting down several hospitals, thereafter spreading to Spain. The attack has now spread globally to organizations of all sizes in all industries, including those in the United States.
Please note that organizations with network visibility and a comprehensive patching program are protected and will be able to defend themselves against WannaCry. This ransomware is spread throughout an organization’s network by taking advantage of vulnerabilities in Windows Server Message Block (SMB). Targeted organizations are those who failed to deploy the patches Microsoft had released to protect against these vulnerabilities.
To learn more about the SMB security patches and software vulnerabilities, read more here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
What Happens When WannaCry Ransomware Attacks?
When WannaCry ransomware is deployed, it encrypts files and demands a ransom of $300 in Bitcoin. thinkCSC urges organizations NOT to pay the ransom, as payment has not resulted in a release of the encrypted files. Read more here: http://www.bbc.com/news/technology-39920269
To learn more about the WannaCry ransomware attack, read more here: http://www.pcmag.com/article/353670/wannacry-ransomware-what-you-need-to-know
The thinkCSC team is actively monitoring the situation.
All thinkCSC Managed Services Clients have patches in place for exploitation attempts against the Windows SMB vulnerability, as well as IPS network detection for the WannaCry ransomware.
Keep in mind that this is an ongoing campaign, and we are regularly updating our detection capabilities. Additionally, we are keeping a close eye on customer networks as events unfold. Please notify thinkCSC of any reported cases of WannaCry ransomware in your organization.
Recommended Courses of Action:
thinkCSC recommends all organizations take the following actions:
- Ensure that “Security Update for Microsoft Windows SMB Server (4013389),” reference Critical Microsoft Security Bulletin MS17-010, has been applied.
- Update endpoint protection and antivirus software definitions, and have all users leave systems powered on so they can receive patches and definition updates.
- Remove public access from any Windows system with Server Message Block that has not been patched (as a best practice, SMB ports 139, 445 should not be exposed publicly and should be blocked from all externally accessible hosts).
- Ensure that all internal Windows systems are patched, to avoid internal spread of WannaCry ransomware.
- Ensure critical files are backed up appropriately.
While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all –organizations – businesses of all sizes, government entities, schools, hospitals, and –others – to invest in stronger IT security that includes offsite backup and recovery. These protections, combined with ongoing staff training, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.
For new customers interested in information on obtaining our services, please contact us at firstname.lastname@example.org