Question & Answer
What are the recommendations to help mitigate the WannaCry exploit?
On May 12th, 2017 at approximately 10:30 AM Eastern Time, the X-Force Threat Research team was made aware of a large-scale cyber attack taking place in Europe. A number of major companies have been affected, and the campaign has been identified as a version of WannaCry (WCry 2). Current research shows that this is ransomware being distributed through a spreader finding and infecting vulnerable smbv1 boxes utilizing a SMB exploit (MS17-010).
Research is actively investigating this activity and currently recommends that clients ensure that they are patched for the MS17-010 vulnerability, and ensure that your anti-virus signatures are up to date.
IBM X-Force has raised the global threat level to AlertCon 3, and continues to research this threat and update the below collection as new information becomes available. Additional notifications will be sent as more information becomes available.
We suggest the following:
- Ensure that their systems are patched (MS17-010) and that their anti-virus signatures are up to date.
- Follow the updates on X-Force Exchange https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729
- Refer to X-Force Ransomware Response Guide to evaluate organizational readiness http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03095USEN
- Clients should ensure that they are patched on MS17-010.
- Disable the outdated protocol SMBv1
- Isolate unpatched systems from the larger network
- Should you be impacted, clients can call X-Force Hotline for immediate help. USA +1 888 241 9812, Global +1 312 212 8034
- X-Force Exchange link has lot of information about this attack, recommendations for you, snorts rules, and PAM signature
]SMB_EternalBlue_Implant_CnC . The PAM signature [
- X-Force research team is continuously reviewing this and will be updating more information.
SMB_EternalBlue_Implant_CnCwas added in XPU 37.041. By default, this signature drops packets and blocks connections. Additionally, when SiteProtector is part of the environment, you will have to update the Database component to the latest XPU so you can see the new signature in the IPS policy configurations options.
Keep tracking the updates here: https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729
Was this topic helpful?
16 June 2018