WannaCry – Happening Now, Worldwide Ransomware Attack

Morey Haber, May 12th, 2017

WannaCry Ransomware

UPDATE (5/16/17, 11:15pm EST)

As of audit revision 3274, here is an updated list of related WannaCry/WannaCrypt vulnerability audits. Use Retina or free Retina Community to scan your systems now.

Check for the SMBv1 vulnerability on all affected platforms:

  • 62804 – Microsoft Security Update for Windows SMB Server (4013389)
  • 63900 – Microsoft Security Update for Windows SMB Server (4013389) – Remote (** Note, requires Retina 6.2.1. or higher **)

Check to see if SMBv1 is enabled. Microsoft recommends customers discontinue the use of SMBv1 unless it is required for legacy applications:

  • 63901 – Server Message Block Version 1 (SMBv1) Detected – Local
  • 63902 – Server Message Block Version 1 (SMBv1) Detected – Remote

Check for an active WannaCrypt infection:

  • 63899 – WannaCrypt Ransomware Detected

Note:  The following audits provide additional methods to detect if the SMBv1 security hotfix has been installed, and can be utilized in addition to audits 62804 and 63900 if desired.

Check for the March Security Only Quality Update or March Security Monthly Quality Rollup (both of which contain the MS17-10 hotfix for SMBv1 on currently supported platforms):

  • 62790 – Microsoft Security Update for Windows – March 2017 (4012212/4012215) – Windows 7
  • 62797 – Microsoft Security Update for Windows – March 2017 (4012213/4012216) – Windows 8.1
  • 62791 – Microsoft Security Update for Windows – March 2017 (4012212/4012215) – 2008R2
  • 62801 – Microsoft Security Update for Windows – March 2017 (4012214/4012217) – 2012
  • 62798 – Microsoft Security Update for Windows – March 2017 (4012213/4012216) – 2012R2

Check for KB4012598 on currently unsupported platforms:

  • 63833 – Microsoft SMB Server Vulnerability (4012598) – XP
  • 63834 – Microsoft SMB Server Vulnerability (4012598) – Server 2003
  • 63835 – Microsoft SMB Server Vulnerability (4012598) – Windows 8

UPDATE (5/14/17, 6:15pm EST)

BeyondTrust has released a set of Retina vulnerability scanner audits for Microsoft’s unsupported operating systems. The following audits are included with audit revision 3273:

  • 63833 – Microsoft SMB Server Vulnerability (4012598) – XP
  • 63834 – Microsoft SMB Server Vulnerability (4012598) – Server 2003
  • 63835 – Microsoft SMB Server Vulnerability (4012598) – Windows 8

UPDATE (5/13/17, 5:00am EST)

In an unusual and unprecedented move by Microsoft, an out of band patch has been released for End of Life Windows operating systems including XP, Vista, Server 2003 and 2008 to protect against the WannaCry threat. For ANY organization still utilizing these operating systems, it is imperative that this patch be applied as soon as possible to protect against WannaCry and any other future worms or ransomware that could leverage this vulnerability.

Microsoft Wannacry Patch


ORIGINAL (5/12/17, 11:00pm EST)

According to CNN, a worldwide ransomware attack named “WannaCry” is occurring across 99 nations in just 11 hours using an exploit “EternalBlue” targeting Microsoft Windows that was patched in March and leaked from the NSA.

The ransomware, “WannaCry”, is infecting computers and raises the ante every six hours of non-compliance with payment terms. The initial cost is just $300 but quickly escalates if firms ignore the ransom. As of this posting, the United Kingdom has had sixteen National Health Service organizations infected and hospitals have been canceling non-critical appointments in order to deal with threat. In total 45,000 systems. Spanish Telefonica has been hit by the weaponized worm-able ransomware as well making it one of the largest company experiencing the current threat. While the cyber-attack is primarily in Europe and Asia (Russia allegedly being hit the hardest), it is just a matter of time before the threat propagates to the United States and infects other Windows systems on the internet that are not patched.

In order for organizations to protect themselves, make sure your Windows assets are patched for MS17-010. If you still have Windows XP, there is no patch or permanent mitigation strategy since this operating system is end of life. Some security tools may help but the risk will never be truly remediated. It is one of the primary reasons organizations need to remove and update these assets. The security update will stop the infection but not remediate the risk if you have already been compromised. If you are not sure if you are at risk, please download a copy of Retina Community from here and scan using these audits:

  • Vista / 2008: 62804 – Microsoft Security Update for Windows SMB Server (4013389) – 4012598
  • Windows 7: 62790 – Microsoft Security Update for Windows – March 2017 (4012212/4012215) – Windows 7
  • Windows 8.1: 62797 – Microsoft Security Update for Windows -March 2017 (4012213/4012216) – Windows 8.1
  • Window Server 2008 R2: 62791 – Microsoft Security Update for Windows -March 2017 (4012212/4012215) – 2008R2
  • Windows Server 2012: 62801 – Microsoft Security Update for Windows -March 2017 (4012214/4012217) – 2012
  • Windows Server 2012R2: 62798 – Microsoft Security Update for Windows -March 2017 (4012213/4012216) – 2012R2

This will identify all systems that are at risk to this rapidly evolving and propagating threat. For more information, please contact BeyondTrust today.