I woke up on the 12th of May, it was my birthday, and I looked on the news feed and saw a burst of articles regarding the WannaCry Ransomware that has swept across the globe.
In the last few days, a new type of malware called Wannacrypt has done worldwide damage. It combines the characteristics of ransomware and a worm and has hit a lot of machines around the world from different enterprises or government organizations:
While everyone’s attention related to this attack has been on the vulnerabilities in Microsoft Windows XP, please pay attention to the following:
- The attack works on all versions of Windows if they haven’t been patched since the March patch release!
- The malware can only exploit those vulnerabilities it first has to get on the network. There are reports it is being spread via email phishing or malicious web sites, but these reports remain uncertain.
Please take the following actions immediately:
- Make sure all systems on your network are fully patched, particularly servers.
- As a precaution, please ask all colleagues at your location to be very careful about opening email attachments and minimise browsing the web while this attack is on-going.
The vulnerabilities are fixed by the below security patches from Microsoft which was released in Mar of 2017, please ensure you have patched your systems:
Details of the malware can be found below. The worm scans port TCP/445 which is the windows SMB services for file sharing:
Preliminary study shows that our environment is not infected based on all hashes and domain found:
Per Symantec, here is a full list of the filetypes that are targeted and encrypted by WannaCry:
As you can see, the ransomware covers nearly any important file type a user might have on his or her computer. It also installs a text file on the user’s desktop with the following ransom note: