A few updates as things have unfolded further over the weekend. My original post when Wannacry aka wcry ransomware first dropped is here.
Firstly and mostly importantly lots of critical infrastructure, hospitals and telcos which have legacy Windows 8 and XP machines are getting emergency support from Microsoft. Bravo Microsoft this is a great step to help defenders mitigate this threat.
Microsoft have also released this customer guidance
If you run these systems in production I have the direct links here thanks to this posting from Threat Post
Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
Download localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
It seems the best mitigation is patching as soon as practically possible. If offlining or patching a machine is not an option then disabling SMB v1 is the next best thing.
Dont forget your change control and testing though. Nothing worse than accidentally offlining your business in the name of keeping it safe from potential threats.
Dont expect Wannacry to be a one off. Its exploiting a serious windows vulnerability and the chatter I see from security researchers I trust suggest its trivial to repackage and launch additional waves of attacks. We have already seen a wcry 2.0 version with the kill switch the original iteration had flagged off.
Im following these sources to help me follow this incident and ensure I have the right information in front of me to know our response is solid:
- Cisco's Talos threat intelligence team have an excellent write up here
- The following gist which contains updates as the outbreak and mitigations unfold
- Following twitter from good folk like @malwrhunterteam @MalwareTechBlog @Metlstorm and @riskybusiness
Thats all for now. My thoughts are with everyone incident responding to this. Its going to be a very rough week.