Ransom:Win32/WannaCrypt

Key aspects and guidance

Roberto Arbelaez
Chief Security Advisor – Americas
Enterprise Cybersecurity Group
Microsoft Corp.
Key aspects
• WannaCrypt exploits a previously patched SMB vulnerability – CVE-
2017-0145
• Microsoft patched CVE-2017-0145 two months ago with Security Bulletin
MS17-010 in March 14, 2017
• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

• Attack vectors:
• Dropper trojan in infected attachment
• Exploitation of SMB “Eternal Blue” vulnerability in unpatched Windows
machines
Key aspects (2)
• Its worm capabilities are based on publicly available exploit code for
the patched SMB “Eternal Blue” vulnerability, in the form of a
specially crafted packet sent to an SMBv1 server

• Affected versions of Windows

• The current exploit code of WannaCrypt does not target Windows 10
(Windows 10 is not currently affected by this initial version of WannaCrypt)
however Windows 10 is vulnerable to CVE-2017-0145 and needs to be
patched.
• Affects Windows Vista, Windows 7, Windows 8 and Windows 10.
• Also affects non-supported versions, specifically Windows XP and Server 2003
Recommendations and guidance
• Adopt an effective and timely security update deployment process based
on change and release management best practices. Consider using auto
update for non critical machines.

• The Antimalware engine should be up-to-date, this attack is detected by

most antimalware engines

• Train your workforce to avoid opening attachments and URLs from

unknown sources

• Backup your information often, according to business continuity best

practices
Recommendations and guidance (2)

• SMBv1 is unsafe, consider migrating to a newer version

• https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

• Security in depth is key

• Perimeter packet filters and firewalls should block external traffic to internal
machines
• Sandbox detonation detects and stops threats coming through the inbox (O365 ATP)
• Host antimalware engine detects and stops threats that make it to the desktop
(Windows Defender ATP)
• Behavior based detection detects abnormal activity, increased traffic and atypical
connection attempts (Microsoft ATA)
Recommendations and guidance (3)
• If you are affected, contact your TAM and/or Account Manager and
ask them to help you open a support case

• If you have any questions or need additional guidance or assistance,

don’t hesitate to contact your account team – we’re here to help
Workarounds
If you can’t patch immediately, you should apply the following
workarounds to limit your surface of exposure:

• Disable SMBv1
• https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-
disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-
windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

• Block incoming SMB traffic to vulnerable machines on port 445

Resources
• MS17-010
• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• Customer Guidance for WannaCypt attacks
• https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-
attacks/
• Detailed description of WannaCrypt
• https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-
out-of-date-systems/
• MMPC WannaCrypt entry
• https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win3
2/WannaCrypt
• CVE-2017-0145
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145
• Latin America Security Blog
• https://blogs.technet.microsoft.com/seguridad/