A new ransomare campaign has landed - again. And again, this is not what should be considered a group of evil hackers attacking businesses around the globe, but just another wormable virus.
Anyhow, let’s not get into a discussion what the definition is, let’s look at what to do about it.
- Ensure systems are backed up (and restore works)
- Patch now to prevent MS17-010 (https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
- Review & Implement June Security Updates accordingly: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
- Deploy the files c:\windows\perfc.dat & c:\windows\perfc as read-only
- Block PSExec from running on your endpoints
- Tip: Deploy this registry change or we can suggest Thycotic Privilege Manager for Windows to prevent the original filename from running, psexec.c
- Block known checksums
- Tip: Use Microsoft AppLocker or we can suggest Thycotic Privilege Manager for Windows to prevent the known bad checksums
- Block known bad URLs
- Tip: Use your web proxy or we can suggest to use Blue Coat ProxySG
- Block known bad network traffic
- Tip: Use your network IPS or we can suggest to use the following FortiGate IPS signatures:
- Prevent Pass The Hash by using unique local administrator passwords
- Tip: Use Microsoft LAPS or we can suggest Thycotic SecretServer