HKCert
Security Blog

Beware of WannaCry Ransomware Spreading

Release Date: 14 / 05 / 2017
Last Update: 15 / 05 / 2017

 

Download PDF version of the following guideline here.

 

An new ransomware variant called WannaCry (also known as WannaCrypt, Wanna Decryptor) was spreading and impacted many important public services overseas by encrypting the important files for ransom.

 

Ransomware is a type of malware which will encrypt victim's files and request a ransom in order to recover the files. The latest new 'WannaCry' variant is the first ransomware which can spread throughout home or office network and infect much more devices. Individual and enterprise users are advised to take extra precautions to prevent its infection and the data loss.

 

High Risk Areas

HKCERT received two incident reports. They share two commonalities:

  1. Both users connected their computers directly to the Internet, without using a broadband router nor a firewall
  2. Their computers were not applied the latest security update.

High Risk Area 1: Computers connecting directly to the Internet

HKCERT warned the users that direct connection to the Internet can expose the computer to attacks. They should have a broadband router or a firewall. A low-end broadband router can provide a simple NAT firewall function to block incoming attack.

 

High Risk Area 2: Unpatched Computers in the Office Network

Even if you have a firewall at the office network, you can only protect your network from scanning and exploit from the external. If an infected computer connected to your network, it will scan and attack other internal computers which have not been patched. So you must ensure computers connecting to the office network have applied the latest security update..

 

Preventive measures for individual users

  1. Set up a broadband router for connecting your devices to the Internet. Prevent your devices from connecting to the Internet directly.
  2. Perform backup on another storage device such as USB thumb drive, external hard disk, when not connected to the Internet.
    Remove your storage device right after backup.
  3. Apply latest Windows security update.
    1. Direct links for downloading patch for individual Windows versions are provided (exceptional Windows XP, Windows Server 2003 and Windows 8 patch also released):
      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ (scroll down to the bottom)
  4. Ensure that anti-virus or Internet security application is installed, and have its signature updated.

Preventive measure for office network users

  1. Ensure that there is a firewall or broadband router in place, and SMB service is not open (close TCP ports 139 and 445 technically).
  2. Perform backup on another storage device such as USB thumb drive, external hard disk, when not connected to the Internet.
    Remove your storage device right after backup.
  3. Run Windows Update for computers in the office network, and install Microsoft Security Bulletin MS17-010 security patch.
    1. Direct links for downloading patch for individual Windows versions are provided (exceptional Windows XP, Windows Server 2003 and Windows 8 patch also released):
      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ (scroll down to the bottom)
    2. Apply the above for desktop computers first, then corporate laptop computers one by one. If you cannot verify whether an outsider laptop computer is free from malware, do not allow it to connect to the office network.
  4. When all done, connect corporate laptop computers one by one and apply Windows security update.
  5. IT administrator proceed to disable SMBv1 for computers using the following steps:
    https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
  6. If you cannot verify whether an outsider laptop computer is free from malware, do not allow it to connect to the office network.

Other preventive measures

  • Perform offline backup (i.e. backup in another storage device, disconnect it after backup).
  • Do not open links and attachment in any suspicious emails.
  • Ensure that your computer have baseline protection, i.e. enable and run Windows Update, install anti-virus application with signature updated, enable Windows Firewall.

What if my computer is infected with WannaCry ransomware?

  • Once infected, isolate the infected computer immediately from the network, and disconnect from external storage.
  • Also isolate other computers and file servers from the network immediately. The quickest way is to turn off the network switch.
  • Do not open any file before removing the malware.
  • We do not recommend paying the ransom.

Reference