WannaCry Ransomware Worm Attacking Network of Universities and Governments

  • Source:Sangfor Security Center
  • Date Published:2017-05-14
#

Summary

In the evening of May, 12th, WannaCry Ransomware Worm took place and attacked the network of government, school, hospital, etc, globally. A great many domestic industries have been affected, among which, the education industry was the most severely attacked and therefore many education systems crashed. 

DESCRIPTION

WannaCry is used by attackers to launch attacks after being changed from a bug which was once exploited by the NSA to hijack and spy on its targets, with internal tool codenamed Eternal Blue. It specifically exploits a bug designated as MS17-010 based on port 445 that Microsoft patched in March, 2017. 

Once the system is attacked, the following dialog box will pop up: 

image.png

Currently, many domestic government and education network have been attacked by WannaCry. Once data file is encrypted by virus, a large amount of money will be charged to decrypt the file. Until now, there is no method to decrypt the file.

INFLUENCE

Check whether patch of MS17-010 has been installed on server side and client side running Win7 or above operating systems which have enabled SMB service using port 445. If not, server side and the client side will be vulnerable to attacks.

As for Windows XP and Windows 2003, there is no patch until now. As long as SMB service is enabled, the servers will be vulnerable to attacks.image.png 

445 port is a TCP port, which provides file or printer sharing service in the local area network. Attackers can establish connection with port 445 and can obtain all sorts of shared information in the designated local area network.

SOLUTION

1.Auto update or download patch for MS17-010. Addresses for patches are as follows: 

Windows Vista, Windows Server 2008    

http://www.catalog.update.microsoft.com/search.aspx?q=4012598

Windows 7, Windows Server 2008 R2     

http://www.catalog.update.microsoft.com/search.aspx?q=4012212

Windows 8.1, Windows Server 2012 R2   

http://www.catalog.update.microsoft.com/search.aspx?q=4012213

Windows RT 8.1

http://www.catalog.update.microsoft.com/search.aspx?q=4012216

Windows Server 2012 

http://www.catalog.update.microsoft.com/search.aspx?q=4012214

2.As for operating systems which do not have patches, Windows XP and Windows 2003, you may disable port 445 of SMB service. 

https://jingyan.baidu.com/article/d621e8da0abd192865913f1f.html

3.Sangfor NGFW has released security patches to defend against SMB vulnerability one month ago. You may upgrade to version 20170415 or above. 

4.Reference for solution: 

http://sec.sangfor.com.cn/events/89.html