IBM Support

IBM Security X-Force Exchange recommendations on the WannaCry Ransomware exploit

Question & Answer


Question

What are the recommendations to help mitigate the WannaCry exploit?

Cause

On May 12th, 2017 at approximately 10:30 AM Eastern Time, the X-Force Threat Research team was made aware of a large-scale cyber attack taking place in Europe. A number of major companies have been affected, and the campaign has been identified as a version of WannaCry (WCry 2). Current research shows that this is ransomware being distributed through a spreader finding and infecting vulnerable smbv1 boxes utilizing a SMB exploit (MS17-010).

Answer

Research is actively investigating this activity and currently recommends that clients ensure that they are patched for the MS17-010 vulnerability, and ensure that your anti-virus signatures are up to date.
IBM X-Force has raised the global threat level to AlertCon 3, and continues to research this threat and update the below collection as new information becomes available. Additional notifications will be sent as more information becomes available.

We suggest the following:

  1. ‚ÄčEnsure that their systems are patched (MS17-010) and that their anti-virus signatures are up to date.
  2. Follow the updates on X-Force Exchange https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729
  3. Refer to X-Force Ransomware Response Guide to evaluate organizational readiness http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03095USEN

X-Force Recommendations:
  • Clients should ensure that they are patched on MS17-010.
  • Disable the outdated protocol SMBv1
  • Isolate unpatched systems from the larger network
  • Should you be impacted, clients can call X-Force Hotline for immediate help. USA +1 888 241 9812, Global +1 312 212 8034

Notes:
  • X-Force Exchange link has lot of information about this attack, recommendations for you, snorts rules, and PAM signature ]SMB_EternalBlue_Implant_CnC[] .
  • The PAM signature [SMB_EternalBlue_Implant_CnC was added in XPU 37.041. By default, this signature drops packets and blocks connections. Additionally, when SiteProtector is part of the environment, you will have to update the Database component to the latest XPU so you can see the new signature in the IPS policy configurations options.
  • X-Force research team is continuously reviewing this and will be updating more information.

Keep tracking the updates here: https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729




[{"Product":{"code":"SSGLFB","label":"IBM X-Force Exchange"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3;5.3.1;5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSETBF","label":"IBM Security SiteProtector System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF033","label":"Windows"}],"Version":"3.0;3.1.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22003435