Starting early Friday morning, May 12, ransomware attacks using the Eternal Blue exploit for Microsoft windows were executed across businesses in hundreds of countries. This new ransomware variant, known as WannaCry, WCry, WannaCrypt, or Wanna Decryptor, targets and exploits a Windows SMBv1 vulnerability that was patched by Microsoft in March in Security Bulletin MS17-010. Other infection vectors include Remote Desktop Protocol (RDP) compromise and phishing emails.
Mediware has been working diligently to make sure all internal systems have had this vulnerability addressed. At this time, Mediware has no evidence that the vulnerability has been exploited on internal or customer systems.
Mediware has taken preventive measures to ensure our infrastructure, which consists of all our servers, devices, and customer data, are adequately protected from this attack. Mediware deploys an in-depth defensive strategy that helps mitigate and minimize any threat vectors such as this one. In addition to a robust and vigorous patching strategy, the following layers of defense are and have been in place to protect all data and all applications.
- Implementation of Microsoft patch detailed in Security Bulletin MS17-010
- Strong firewalls and processes with explicit denies for all IP’s and ports, with multi-group scrutinizing of all firewall changes
- Strong change management processes requiring multiple peer groups to approve all changes to our production environments
- Next-generation IDS and IPS with active and intelligent filtering
- Strong access controls for users and admins
- Limited direct access to servers
- Enterprise active and up-to-date AV and anti-malware protection
- Reference multi-tenancy architecture that protects and segregates customers, business units, and applications via virtualization, VLANs, networks, and ACL’s
- Several synchronous technologies backup, snap, replicate, and can seamlessly restore several different instances of our data in near real time
Mediware recommends the following actions to prevent this attack:
- Immediately apply the Microsoft patch for MS17-010 SMB vulnerability. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?utm_campaign=Customer%20Advisory%3A%20Ransomware%20%26%20NSA&utm_source=hs_email&utm_medium=email&utm_content=51891072&_hsenc=p2ANqtz-_NvE2mLBDpHPM291B5t32lBa1Ymb4vsbyTDxRevQ2DoPbqW-1KlECy9-gEjL1kIZ4yifVn8I1IVX64iWT7x4vND3pgP614Sp6I1naq4esvOsuOZio&_hsmi=51891072
- Immediately update your virus definitions.
- Mediware recommends keeping your virus definition files current by updating frequently.
- Ensure you have up-to-date backups.
- Enable strong spam filters to prevent phishing e-mails from reaching end users, and authenticate in-bound e-mail.
- Configure access controls, including file, directory, and network share permissions with least privilege in mind.
- Disable macro scripts from Microsoft Office files transmitted via e-mail.
- Inform and educate your employees to identify scams, malicious links, and social engineering attempts.
For More Information:
- US-CERT Alert (TA17-132A) Indicators Associated with WannaCry Ransomware:
- Microsoft Security Response Center Article Customer Guidance for WannaCrypt attacks:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Note: This article also provides information regarding windows XP and windows Server 2003.
If you have any questions, contact our Director of Information Technology Jim Burkholder at (913) 307-1021, or contact me directly at (913) 307-0105.
Regulatory and Compliance
Mediware Information Systems, Inc,