Alert Logic® ActiveWatch™ threat intelligence and researchers continue to monitor the WannaCryptor campaign. WannaCryptor harnesses the SMB EternalBlue exploit and the DoublePulsar backdoor payload for self-replication. Without any intervention from users, such as opening an email or clicking on a link, WannaCryptor propagates through a network, targeting systems running vulnerable versions of Microsoft Windows that were patched by Microsoft in March 2017.
For a deep review of this exploit, refer to our WannaCry – A Propagation Brought to You by EternalBlue and DoublePulsar blog post.
Alert Logic Coverage
Alert Logic has had detection coverage and incident escalations deployed globally for the threat vectors used by WannaCryptor for over a month. Scanning coverage, active intrusion detection signatures, and incident creation are in production for EternalBlue and DoublePulsar. For more information on EternalBlue and DoublePulsar, refer to our Shadow Brokers Release of Equation Group Toolset | Security Bulletin knowledge base article.
Signatures have been deployed in Alert Logic Cloud Defender™ for EternalBlue and DoublePulsar since mid-April 2017. Incidents will be generated by Alert Logic for successful execution of these threats. Further, the Alert Logic ActiveWatch™ team is actively monitoring for these threats.
Signatures for scanning and detecting the EternalBlue vulnerability have been deployed in Alert Logic Threat Manager™ and Alert Logic Cloud Insight™ since mid-April 2017.
Recommendations for Mitigation
The best action for preventing the WannaCryptor server-side ransomware attack is a strong patch management policy. The patch for this vulnerability for Windows XP systems and newer can be found in the Microsoft Customer Guidance for WannaCrypt Attacks blog post.
Other recommended mitigation actions include:
- Running a detailed vulnerability scan against all systems in your environments to identfy systems missing the MS17-010 security update
- Disabling SMB in Windows unless absolutely necessary, and ensuring that SMB isn't accessible via open Internet.
- Establishing strict needs-based access to network resources and segment networks where possible
- Backing up your data using offline media options, as the server-side ransomware worm attempts to infect any connected resources - USB drives, mapped network drives, etc.
- Following client-side hygiene practices and following OS vendor advice for baseline security
- Keeping current with Alert Logic and our network, web application, scan, and log alerts.
05/17/17: A second wave of WannaCryptor, WannaCryptor 2.0, has been identified and ActiveWatch threat intelligence and researchers continue to monitor server-side ransomware campaign.