The unprecedented outbreak of Trojan ransomware WannaCry has created a worldwide plague affecting home users and businesses. We have already posted some basics about WannaCry, and in this post we will provide further advice particularly for businesses. It is urgent and critical to know what WannaCry is, how it spreads, what dangers it poses, and how to stop it.
What should I do right now?
One of the key reasons the Trojan erupted so quickly is that it transmits itself using an exploit, entering through a known Windows vulnerability with no user intervention (mistakes) needed. And once one computer is infected, the malware attempts to spread itself to all other systems in the local network.
Therefore, the very first action to take is to repair the vulnerability. System administrators need to take the following steps:
- Install the Microsoft patch. It’s available not only for Windows 10, but for earlier versions as well: Windows 8, 7, Vista, even Windows XP and Server 2003. This patch closes the vulnerability that the ransomware uses to infect the systems within the local network.
- If, for whatever reason, installing the patch is not possible, close port 445 using the firewall. That will block the worm’s network attack to prevent the infection. However, this measure should be viewed strictly as a stopgap. Closing this port will stop a number of important network services, so it isn’t a true solution.
- Make sure that all systems in your network are protected. This point is vital: If you haven’t patched every system or closed the 445 port, one infected computer may infect all the others.
- You may also use the free Kaspersky Anti-Ransomware Tool, which reliably protects from cryptomalware. It can also be used along with other antimalware solutions; it’s compatible with most known security solutions and does not interfere with their operation.
If you already use Kaspersky Lab solutions
Current users are already protected from ransomware, including WannaCry. However, we recommend that you take a few extra preventive measures.
- Confirm that you have Microsoft’s patch installed.
- Make sure your security solution includes the System Watcher proactive behavior detection module, and confirm that it’s enabled. Instructions are here.
- If there have been cases of infection in your local network, start a critical scan. This task will be launched automatically, but the sooner you act the better. In theory, the malware could have installed itself in the system but not started encrypting the files yet.
- If the threat MEM:Trojan.Win64.EquationDrug.gen is detected during the scan, remove it and restart the system.
If there are embedded systems in your networks
Embedded systems are particularly vulnerable to WannaCry, mainly because they tend to be less well protected. And although ATMs and POS systems are usually protected using specialized solutions, the protection of such systems as information terminals is overlooked. However, bringing such systems back on track may cost a fortune, especially if your company operates hundreds of them.
Qpark jist fell victim of the WannaCry ransomware as well. pic.twitter.com/CkZX4xz89i
— Rickey Gevers (@UID_) May 13, 2017
We highly recommend using solutions that employ Default Deny mode. Kaspersky Embedded Systems Security was developed specifically for embedded systems, and it is an effective and resource-efficient protection solution.
Emergency WannaCry webinar
To help businesses understand and defend against the WannaCry ransomware, our experts held an emergency webinar. Juan Andres Guerrero-Saade, senior security researcher in our Global Research and Analysis Team (GReAT), and Matt Suiche from Comae Technologies presented the very latest information on how the ransomware breaches defenses and also on the subsequent stages of the attack.
The pair explained how organizations can determine if they have been infected and named the critical actions they need to take to secure their networks and endpoints against this threat. In addition, they explained the possible connection between WannaCry and the infamous Lazarus Group. You can watch the recording of the webinar here.