WannaCry Ransomware

Based on our research it sounds like infection often comes in via email attachment. The whole SMB exploit aspect is the unique sexiness of this crypto in that it spreads to multiple machines that way so multiple nodes are encrypting basically.  I think any Desktop that gets infected would encrypt server mapped drives. So patching servers prevents ‘server-uber-doomsday-infection’ of server itself being infected.  But any node on network getting it will basically cause server to get encrypted anyway, but not as bad as server being infected directly.

I’d consider this the ‘end of days’ ransomware because one infrected machine will begin encrypting local and server data and then simultaneously infect the other machines on the network which will begin encrypting the data in tandem, increasing the encryption rate drastically.

Microsoft Hotfixes for supported versions of Windows: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396
Note this hotfix was originally released in March of 2017, so if you’ve been good about updates you have it.

Command to determine if a node has a hotfix that contains the SMB1.0 fix:

wmic qfe list brief | findstr “KB4012598 KB4012212 KB4012215 KB4012214 KB4012217 KB4012213 KB4012216 KB4012606 KB4013198 KB4013429 KB4015438 KB4016635 KB4015217 KB4019472”

Microsoft Hotfixes for deprecated/unsupported versions of Windows (2003, XP, Windows 8, etc) are available at the bottom of this MS Article: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.