Guidance for enterprise administrators who want to reduce the likelihood of being held to ransom by WannaCry (or other types of ransomware).
Created: 14 May 2017
Updated: 17 May 2017
The NCSC are aware of a ransomware campaign relating to version 2 of the “WannaCry” malware affecting a wide range of organisations globally.
NCSC are working with affected organisations and partners to investigate and coordinate the response in the UK. This guidance will be updated as new information becomes available.
From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.
The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.
Enterprise Administrators
The NCSC advise the following steps be performed in order to contain the propagation of this malware:
– Deploy patch MS17-010:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
– A new patch has been made available for legacy platforms, and is available here:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
– If it is not possible to apply this patch, disable SMBv1. There is guidance here:
https://support.microsoft.com/en-us/help/2696547
– and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]
If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.
Work done in the security research community has prevented a number of potential compromises. To benefit:
– Ensure that your systems can resolve and connect on TCP 80 to the domains below.
www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
Unlike most malware infections, your IT department should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to *any* accessible server which will accept connections on TCP 80.
Antivirus vendors are increasingly becoming able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).
The NCSC have previously published broader guidance on protecting your organisation from ransomware, which is available here.