May 16, 2017

Posted in:


WannaCry Ransomware Update

First, for our customers:

Edge Hosting continues to protect customers from the latest global ransomware attack, WannaCry (or also known as WCry, or Wanna Decryptor), through a multi-layered security model. All Edge Customers are protected by signatures applied to our Intrusion Prevention System. Customers running Windows Server 2008, 2012 and 2016 are further protected by updated signatures on the Sophos anti-virus product and Windows server patching. Those customers that have opted out of patching should patch their systems immediately! If you need help, we are here to help 24/7.  Please open a ticket with our Network Operations Center (NOC) support team and we’ll coordinate an effort to patch servers hosted at Edge. Also, please patch your workstations in your offices, as this ransomware can traverse VPN connections to impact servers from your workstations.

What is Ransomware?

Ransomware is a form of malicious software that encrypts the entire disk of a computer or server and holds it in an inaccessible state until the ransom is paid. The attacks occurring in the last 3-4 days are a result of previously, publicly unknown vulnerabilities that had been exposed in April via a hack against a government system. Reporting indicates a requested ransom for this event of .1781 bitcoins, roughly $300. According to CNET, so far, WannaCry has hit more than 150 countries and 200,000 computers worldwide.

How does the Attack Occur?

The current attack has impacted all versions of the Windows server and workstation operating system that have been released since 2001.  U.S. CERT states that attackers are gaining access to enterprise servers through phishing emails and then progressing laterally to other servers and workstations through shared drives by exploitation of a critical Windows SMB vulnerability. Microsoft released a patch in mid-march (MS-17-010) that has successfully prevented attacks and the spreading of this ransomware.

Edge Hosting’s Protection

The Edge Hosting team has been diligent in the defense against this attack. Windows Server 2008, 2012 and 2016 systems have been patched, anti-virus software is updated on a frequent basis (approximately every two hours), and our Intrusion Prevention System (IPS) has signatures and other controls in place to defend systems.

As always, we are working 24/7 to stay ahead of the attack to ensure the confidentiality, integrity and availability of your most critical assets. We are actively reviewing information from the U.S. Computer Emergency Response Team (CERT), and we have SMB, Microsoft’s protocol for file sharing on the network, blocked at the perimeter of our network so that VPN is the only viable way for SMB traffic to your VLAN. We have actively applied the following filters to our IPS that help you protect against the exploits:

  • SMB: Server MID Type Confusion Vulnerability
  • SMB: Remote Code Execution Vulnerability (EternalBlue)
  • SMB: Server SMBv1 Buffer Overflow Vulnerability
  • SMB: Remote Code Execution Vulnerabilities (EternalChampion)
  • SMB: Remote Code Execution Vulnerability (EternalBlue)
  • SMB: NT_TRANSACT_RENAME Information Disclosure Vulnerability (EternalSynergy)
  • SMB: Null Session SetUp
  • SMB: Suspicious SMB Fragmentation
  • SMB: DoublePulsar Backdoor
  • SMB: Malicious SMB Probe/Attack
  • TLS: Suspicious SSL Certificate (DGA)

What You Can Do?

There are actions that you can take to prevent Ransomware from getting on your system. Ransomware frequently initially infects systems through web browsing or phishing email. If possible, Web browsing should not be conducted from a server. Once infected, other systems can be infected through file shares (mapped drives) as well. If mapped drives are not necessary on your servers, you should terminate those connections. Similarly, VPN connections should only come from trusted and known systems (for example, do not manage your server from a home system not controlled by enterprise anti-virus and similar protections).

Stay Tuned

The authors of WannaCry have already released several variations of the attack, and Edge remains vigilant. If you need help, the Edge support team is here to help 24/7.  Again, please open a ticket with our NOC support team and we’ll coordinate a patch for your organization.

 

Last updated 05/16/2017

 

Go back