What to Do About the Wannacry Ransomware Outbreak
Today, a ransomware variant called Wannacry (or WCry or WanaCryptor) has emerged with a nasty 2.0 version that is quickly spreading, particularly in Spain and throughout Europe. We’ve been tracking the Wannacry ransomware since it was first reported on Bleeping Computer.
Here’s what you need to know to stay protected against this fast-moving malware.
What Makes Wannacry Ransomware Unique?
While there’s very little clarity on the initial infection vector, there’s some speculation it may be targeting people via high-quality phishing e-mails.
That’s not new. What is new—at least according to reports so far—is that the ransomware contains a worm that infects every computer on the network that has not been patched against the recent NSA dumped exploits. By making the ransomware a worm, the operator assures that any unpatched system is a victim, increasing their likelihood of success, and thus likelihood of payment.
What we cannot believe is that anyone would allow a server message block from the Internet toenter their network. That doesn’t happen any more, right? Well, wrong.
Most U.S. companies have gotten away scot-free so far, but it’s important to take steps to avoid falling victim to similar attacks in future. Here’s how to protect yourself.
How to Protect Your Networks from Wannacry Ransomware
There are four major steps you should take to protect yourself against Wannacry and similar ransomware attacks:
- Update Your Firewalls: Ensure your firewall is blocking ports 445, 139, and 3389.
- Patch Your Systems: The Wannacry ransomware may use vulnerabilities in Microsoft Windows to spread from one computer to another. Patching puts an immediate halt to the wormability of these exploits.
- Improve Protections for RDP Servers: RDP is a common way that ransomware variants infect companies. If you can disable RDP for a while, do it. If not, apply some simple protections to keep your RDP access from turning into a ransomware point of entry.
- Deploy Anti-Malware Solutions: Our team is tracking this outbreak and will add protections against the threat as we learn them. We have your back throughout this attack and will help in every way we can.
Strongarm protects against Wannacry in a couple ways. The ransomware includes a “kill switch” that will trigger when the ransomware is able to talk to a set of websites. We’ve blacklisted these websites. The ransomware will then contact Strongarm, tell us where it is running, and then die. Our researchers are also tracking down the different ways the ransomware gets in and adding those domains to our blacklist as we find them.
While attacks like Wannacry can seem alarming at the outset, doing the right things to protect your organization will go a long way toward decreasing your odds of being victimized.
Questions for our team? Email us at firstname.lastname@example.org