WannaCry cyberattack: Here is how to protect your computer, and more | Virus Wanna Cry
iSpeech
How can this be prevented?
Despite the exploits/vulnerabilities being exposed a month back, so many systems were still unpatched. To protect from this ongoing mass exploit and propagation one can do the following:
1. Install all available OS updates including to prevent getting exploited
2. Manually disable SMBv1 via modifications made to Windows Registry by following these steps:
a. Navigate to: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters
b. Look for Value: SMB1
c. Modify Data: REG_DWORD: 0 = Disabled
3. Restrict inbound traffic to open SMB ports (ports 139, 445) which are publicly accessible / open to Internet.
4. Block the IPs, Domains, Hash values that are involved in spreading this malware. Please refer the attachment – IOCs – WANNACRY RANSOMWARE.xlsx for details.
5. Implement endpoint security solutions. The ‘AV Signature Name’ section under IOCs – WANNACRY RANSOMWARE.xlsx can be referred.
6. Keep an offline backup of critical data on desktops and servers.
7. Organisations should block connections to TOR nodes and TOR traffic on network (IOCs – WANNACRY RANSOMWARE.xlsx).
What action should the Bank/User/Customer take?
Install all critical patches.
Review any traffic towards ports 139, 445. Block if not required.
It is highly recommended that the provided list of threat indicators (IOCs – WANNACRY RANSOMWARE.xlsx) should be blocked at perimeter devices such as firewall, proxy etc. and Email Security Gateway immediately. However, kindly note:
You shall act upon this advisory/IOC-list at your own discretion after conducting risk analysis in your specific environment.
The advisory/IOC-list is time sensitive in nature and may be overridden in subsequent updates from our side as new information is received on the threats.
What should be done if a node has found infected?
1.Disconnect the infected system(s) from the production network.
2.Perform a full Antimalware scan on the system(s) by adhering the following:
F-SECURE-http://www.f-secure.com/en/web/home_global/online-scanner
MCAFEE-http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx
MICROSOFT-http://www.microsoft.com/security/scanner/en-us/default.aspx
SOPHOS-http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
TREND MICRO-http://housecall.trendmicro.com/
You can refer IOCs -WANNACRY RANSOMWARE.xlsxfor identifying additional Antimalware tools with successful detection for further scanning and disinfection.
You can refer IOCs -WANNACRY RANSOMWARE.xlsxfor identifying additional Antimalware tools with successful detection for further scanning and disinfection.
3. Block the supplied indicators (IPs, domains, and hash values)at the gateway devices.
4. Try attempting to decrypt any encrypted files using decryption tools such as Trend Micro Ransomware File Decryptor, nomoreransom.org/decryption-tools.html
5. Removal script for DoublePulsar impant (if found): github.com/countercept/doublepulsar-detection-script
6. Restore data from the most recent backup made
2017-05-15 16:29:31
source
Gloss