A new ransomeware attack, perhaps the largest so far, was designed to work only against unpatched windows 7 and windows server 2008 (or earlier OS) systems. 200K machines have been infected in just a few days.
Understanding Wannacry infections
The ransomware that has been spreading over the internet and local networks through EternalBlue Windows SMB (Server Message Block) exploit has slowed down in its proliferation over the past day. However the infections continues to increase at a slower rate. The reason for the reduced infection rate was the solution found by a 22 year old security researcher. This solution involved registering the domains to which the malware was trying to establish a connection. This has resulted in a massive drop in the rate of ransom-ware infection spread all over the globe. As per this revised update, we need to allow connections to the following domains to make sure the malware spread is stopped.
1. http://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
2. http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
New Malware Variants
New ransomwares without the above kill-switch has been identified and reported by VirusTotal and
Kasperesky Labs. As per their analysis, it is difficult to stop the spread of these new variants. The
major malware variant of Wannacry goes by the name UIWIX. This self replicating malware doesn’t
have a kill-switch and spreads by exploiting the same vulnerablity in SMBv1 and SMBv2 as
Wannacry does. However, these have only been reported in limited numbers and have not been seen
in the wild much. Hence as of now there is no need to be concerned about these new Wannacry
ransomware variants.
Mitigation Steps for Wannacry and its new ‘no kill-switch’ variants
Among the many security measures to contain the ransomware spread, the following has been
identified as the most crucial mitigation steps to safeguard your machine against Wannacry and its
various new malware variants.
1. Updating your windows computers with the Microsoft security patch MS17-010
2. Disable SMB. Block the port 445 urgently. And also block 137 and 139
3. Installing an good antivirus that prevents Wannacry infections.
Installing MS17-010 patch
Update the windows to get the latest security patches.
The details of the MS17-010 security patch can be found at
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
How to disable SMB
SMB comes by default in Windows. To disable it:-
• Goto Windows Features
• Open Turn windows features on or off
• Uncheck SMB
• Click OK
• Restart PC
How to block ports in Windows Firewall?
• Open Windows Firewall
• Add new rule in Inbound Rules
• Select Port
• Choose Specific Local ports
• Add 137, 139 and 445
• Choose Block all connections
• Provide name, description and save
