You are on page 1of 30

WANNACRY

RANSOMWARE
REPORT &
MITIGATION
WB: SN-NFS v1.0
Singapore, 14 May 2017
WANNACRY RANSOMWARE REPORT & MITIGATION ......................................................................... 3
INTRODUCTION .................................................................................................................................... 3
WHAT IS RANSOMWARE ................................................................................................................. 3
RANSOMWARE PROPAGATION ...................................................................................................... 3
WANNACRY RANSOMWARE REPORT DETAIL ................................................................................. 3
ANALYSIS OF THE ATTACK ............................................................................................................. 5
SAMPLES OBSERVED IN ATTACKS .............................................................................................. 12
KASPERSKY LAB DETECTION NAMES ......................................................................................... 12
WANNACRY MITIGATION ................................................................................................................... 12
EDUCATE YOUR USER .................................................................................................................. 13
REGULARLY BACKUP DATA AND VERIFY THE RESTOREABILITY OF YOUR BACKUPS ....... 13
PROTECT ALL DEVICES AND SYSTEMS ...................................................................................... 13
DEPLOY AND MAINTAIN SECURITY SOFTWARE ........................................................................ 13
FOR KASPERSKY ENDPOINT SECURITY 10 FOR BUSINESS (KESB) INSTALLED ON
WINDOWS DESKTOP OPERATING SYSTEM ............................................................................... 13
FOR KASPERSKY ENDPOINT SECURITY 10 FOR BUSINESS (KESB) INSTALLED ON
WINDOWS SERVER OPERATING SYSTEM .................................................................................. 19
FOR KASPERSKY SECURITY 10 FOR WINDOWS SERVER (KSWS) INSTALLED ON WINDOWS
SERVER OPERATING SYSTEM ..................................................................................................... 20
FOR KASPERSKY SECURITY 10 FOR WINDOWS SERVER (KSWS) INSTALLED ON WINDOWS
SERVER OPERATING SYSTEM WITH HYPER-V ROLE ............................................................... 22
FOR KASPERSKY SECURITY FOR VIRTUALIZATION LIGHT AGENT 4.0 PROTECTING
WINDOWS BASED VIRTUAL DESKTOP ........................................................................................ 22
FOR KASPERSKY INTERNET SECURITY 2017 (KIS) INSTALLED ON WINDOWS DESKTOP
OPERATING SYSTEM ..................................................................................................................... 24
WORDS OF PRECAUTION ................................................................................................................. 29

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 2
INTRODUCTION
WHAT IS RANSOMWARE

In simple explanation, ransomware is a malicious software which is not created using new technology, or
using a rocket science. In fact ransomware adopts modified encryption technology which has been exist
for sometime and it is adopted to help the cybercriminals to accomplish their goal. In a nutshell,
ransomware is a software which is created by cybercriminals using mature and proven security
technology(encryption technology) to do evil things. It is all about the evil creativities from cyber criminals
to reverse a good and mature security technology to do evil things.

Encryption technology is used to protect your data. For example, full disk encryption is used to encrypt
the entire harddisk on a notebook, so if the notebook is stolen and the harddisk is taken out by cyber
criminal to retrieve the data, the data cannot be read, because it is encrypted. However, the owner who
has the “decryption key” is able to read the data. Ransomware is having almost similar concept, however
there is a difference here. Your data will be encrypted, but the data owner will not be able to read their
own data because the “decryption key” is hidden by cybercriminal and with some mutual exchange which
is usually using bitcoin, you are given promised that your data can be recovered after you paid some
ransom(money) based from the cybercriminal instruction.

Ransomware has many variants such as Petya, Wannacry etc. Although it has many variants but how it
works it is almost the same. Depending on the motive and agenda of the cybercriminals, ransomware is
created for different purposes. For example, there are some variants of ransomwares which were created
only for commercial purposes and another example such as PetrWrap which is used for targeted attacks.

RANSOMWARE PROPAGATION

Ransomware is propagated using many techniques. Depending on the ransomware victim/target which
was determined by cybercriminals, it can be propagated using various ways such as email attachments,
infected URLs, vulnerabilities of certain software applications, vulnerabilities of operating system, social
engineering, social media etc.

For example, if the ransomware is targeting victims who use Microsoft Office applications, the propagation
can be done via email attachment, unpatched vulnerabilities of the Microsoft Office application etc. If
certain ransomware is targeting Database server, the method of infection and propagation can be done
via infecting unsecure web server, application server etc which have direct or indirect connectivity to the
database server at the backend.

However, two of the most common ways are:


1. Phishing spam: where the victim receives an email that contains an infected attachment or
includes a link to a phishing website.
2. Water holing: whereby visiting a legitimate website that is popular with a specific type of user or
job role
o such as an accountancy forum or a business advice site
o can result in the employee’s device becoming infected. In these cases of ‘Drive-By’
infection, the website will have already been infected with malware that is ready to exploit
vulnerabilities on visitors’ devices.

WANNACRY RANSOMWARE REPORT DETAIL


The detail report of Wannacry Ransomware below is published by Kaspersky Lab's Global Research &
Analysis Team which was reported on May 12, 2017; 5:30pm

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 3
Earlier today (May 12, 2017, Kaspersky Lab products detected and successfully blocked a large number
of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY”
added to the filenames.

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code
execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the
internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their
site about a massive ransomware attack affecting several Spanish organizations. The alert recommends
the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread
of the attack.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical
institutions. We have confirmed additional infections in several additional countries, including Russia,
Ukraine, and India.

It’s important to understand that while unpatched Windows computers exposing their SMB services can
be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack
of existence of this vulnerability doesn’t really prevent the ransomware component from working.
Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the
outbreak.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 4
ANALYSIS OF THE ATTACK

Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries
around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete
and the range of targets and victims is likely much, much higher.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 5
Geographical target distribution according to our telemetry for the first few hours of the attack

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The
request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this
sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests
that the group is increasing the ransom demands.

The tool was designed to address users of multiple countries, with translated messages in different
languages.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 6
Language list that the malware supports

Note that the “payment will be raised” after a specific countdown, along with another display raising
urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all
ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with
instructions on how to find the decryptor tool dropped by the malware.

An image used to replace user’s wallpaper

Malware samples contain no reference to any specific culture or codepage other than universal English
and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7
system tools:

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 7
Properties of malware files used by WannaCry

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to
their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not
provide any additional info:

One of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

One of the attacker wallets received 0.88 BTC during the last hours

Another Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC


1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 8
For command and control, the malware extracts and uses Tor service executable with all necessary
dependencies to access the Tor network:

A list of dropped files related to Tor service

In terms of targeted files, the ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif,
.slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb,
.mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip,
.dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf,
.avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw,
.gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg,
.vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv,
.txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx,
.ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The file extensions that the malware is targeting contain certain clusters of formats including:

1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
9. Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino,
Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish,
Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

The example of a “user manual” in English:

What Happened to My Computer?


Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because
WANNACRY RANSOMWARE REPORT & MITIGATION

Page 9
they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption
service.

Can I Recover My Files?


Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough
time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

Contact
If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until
you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).

Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a
text file to disk with further instruction. An example of their “readme” dropped to disk as
“@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is
done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been
made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until
they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.


Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don't worry about decryption.


We will decrypt your files surely because nobody will trust us if we cheat users.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 10
* If you need our assistance, send a message by clicking on the decryptor window.

Once started it immediately spawns several processes to change file permissions and communicate
with tor hidden c2 servers:

 attrib +h .
 icacls . /grant Everyone:F /T /C /Q
 C:\Users\xxx\AppData\Local\Temp\taskdl.exe
 @WanaDecryptor@.exe fi
 300921484251324.bat
 C:\Users\xxx\AppData\Local\Temp\taskdl.exe
 C:\Users\xxx\AppData\Local\Temp\taskdl.exe

The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default}
bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog
-quiet

This results in an UAC popup that user may notice.

UAC popup to disable Volume Shadow Service (System Restore)

The malware use TOR hidden services for command and control. The list of .onion domains inside is as
following:

 gx7ekbenv2riucmf.onion
 57g7spgrzlojinas.onion
 Xxlvbrloxvriy2c5.onion
 76jdd2ir2embyv47.onion
 cwwnhwhlz52maqm7.onion
 sqjolphimrr7jqw6.onion

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 11
SAMPLES OBSERVED IN ATTACKS

4fef5e34143e646dbf9907c4374276f5
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240

KASPERKY LAB DETECTION NAMES

Trojan-Ransom.Win32.Gen.djd
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
PDM:Trojan.Win32.Generic

Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims.
We will provide an update when a tool is available.

WANNACRY MITIGATION
When it comes to dealing with the risk of Wannacry ransomware as well as other ransomware attacks in
general, companies and organizations have two choices:

1. Hope that your company and organization are not attacked but, with the increasing number of
ransomware variants, that’s not really a viable option.
2. Follow some easily applied rules to help keep your data and your business operations remain
safe

Wannacry ransomware targets Microsoft Windows Platform, and these applied rules below are
applicable to Microsoft Windows users and other platforms in general.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 12
EDUCATE YOUR USER

Never underestimate the education and awareness to your staff, as people are often the most vulnerable
element in any business. Teach your employees about IT security basics, including:
 Awareness of phishing and spear-phishing risks
 The security implications of opening any email attachment that looks suspicious – even if, at
first sight, it appears to be from a trusted source

REGULARLY BACKUP DATA AND VERIFY THE RESTOREABILITY OF YOUR BACKUPS

Almost all businesses will already have data backup policies. However, it’s essential that you backup your
data onto an offline backup subsystem – instead of just copying files to another ‘live’ system on your
corporate network, otherwise a ransomware will be able to encrypt your backup files. Establish a ‘back
up and disconnect’ policy – so you’re not just copying data onto a permanently connected file server.

PROTECT ALL DEVICES AND SYSTEMS


Because cryptors don’t just attack PCs, you’ll also need to ensure your security software can protect your
Mac computers, virtual machines and Android mobile devices. It’s also worth ensuring you have sufficient
protection installed on your email system.

DEPLOY AND MAINTAIN SECURITY SOFTWARE


As with all malware prevention, your watchword should be ‘update early and update often, so you need
to:
 Update all applications and operating systems – to eliminate newly discovered
vulnerabilities
 Update the security application and its anti-malware database – to ensure you benefit from
the latest protection

Try to select a security solution that includes tools that let you:
 Manage the use of the Internet – for example, according to job role
 Control access to corporate data – again, according to job or department
 Manage the launch of programs – using Application Control technologies that help you block
or permit programs

FOR KASPERSKY ENDPOINT SECURITY 10 FOR BUSINESS (KESB) INSTALLED ON


WINDOWS DESKTOP OPERATING SYSTEM
If your customer used Kaspersky Endpoint Security 10 for Business (KESB) installed on Windows
Desktop Operating System such as: Windows Vista, Windows 7, Windows 8.1, Windows 10, will have
received the security update MS17-010 in March. If customers have automatic updates enabled or have
installed the update, they are protected. For other customers, we encourage them to install the update as
soon as possible. The security update MS17-010 can be downloaded from the URL below:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

For Windows version that no longer receive mainstream support because of given the potential impact to
customers and their businesses, Microsoft made the decision to make the Security Update for platforms
in custom support only, Windows XP, Windows 8, broadly available for download (see links below).

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 13
Windows XP SP3 x86:
http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-
enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

Windows 8 x86:
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-
kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu

Windows 8 x64:
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-
kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu

Next action, in order to reduce the risk of being infected by ransomware/cryptolocker (malware that
encrypt your files and demand a ransom), we recommend that you enable the following protection
components on the Kaspersky Endpoint Security for Business:

 System Watcher and BSS. System Watcher collects data on the actions of applications on your
computer, while BSS monitors their behaviour.
 Application Privilege Control. The component allows to analyse suspicious files in more detail
and increases the probability of malware detection.
 Kaspersky Security Network.

CONFIGURE THE SETTING LOCALLY

Before you start following the instructions, make sure the BSS and System Watcher components are
enabled in the settings (Anti-Virus protection -> System Watcher).

1. Open Kaspersky Endpoint Security 10 for Windows.


2. On the Settings tab, select Endpoint control -> Application Privilege Control and click the
Resources button.

3. Select the Personal data node, click Add and select the item Category.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 14
4. Create a category named Protected file types and some subcategories inside it. It may be
Documents, Images, and others.

5. Select a category that corresponds with the files you want to protect (for example, Documents
for .doc and .docx files), click the Add button and select the item File or folder. You can either
specify a path or a wildcard, such as *.<extension>. Example: *.docx.

6. In the same way, add other file types.


7. Configure permissions of access to the Protected file types group for the applications that refer
to Low Restricted and High Restricted. We recommend to block the Write, Delete, and Create
actions. Make sure the applications that are normally used to work with the protected file types
are Trusted.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 15
Before installing patches for Kaspersky Lab products, it is necessary to temporarily restore initial settings.
If the browser belongs to the Low Restricted or High Restricted group, download of protected files is
unavailable.

CONFIGURE THE SETTING VIA KASPERSKY SECURITY CENTER

1. Open the Administration Console, go to the Managed computers node and select the Policies
tab.

2. Open the properties of the active Kaspersky Endpoint Security policy, select Endpoint
control -> Application Privilege Control, then click the Settings button to configure the
application's access to resources and personal data.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 16
3. Select the Personal data node, click Add and select the item Category.

4. Create a category named Protected file types and some subcategories inside it. It may be
Documents, Images, and others.

5. Select a category that corresponds with the files you want to protect (for example, Documents
for .doc and .docx files), click the Add button and select the item File or folder. You can either
specify a path or a wildcard, such as *.<extension>. Example: *.docx.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 17
6. In the same way, add other file types.
7. Configure permissions of access to the Protected file types group for the applications that
refer to Low Restricted and High Restricted. We recommend to block the Write, Delete, and
Create actions. Make sure the applications that are normally used to work with the protected file
types are Trusted.

8. Save the policy.

Make sure the System Watcher component is enabled in the settings (Anti-Virus protection ->
System Watcher).
default settings.

To use all functions of Kaspersky Security Center Remote Diagnostic Utility, restore default settings
or disable the Application Privilege Control component.

If the browser belongs to the Low Restricted or High Restricted group, download of protected files is
unavailable.

Additional task to minimize the ransomware spreading is including all network drive scanning in the File
Anti-Virus section.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 18
FOR KASPERSKY ENDPOINT SECURITY 10 FOR BUSINESS (KESB) INSTALLED ON
WINDOWS SERVER OPERATING SYSTEM
For customers who are running supported versions of the server operating system (Windows Server
2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server
2016) will have received the security update MS17-010 in March. If customers have automatic updates
enabled or have installed the update, they are protected. For other customers, we encourage them to
install the update as soon as possible. The security update MS17-010 can be downloaded from the URL
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

For Windows version that no longer receive mainstream support because of given the potential impact to
customers and their businesses, Microsoft made the decision to make the Security Update for platforms
in custom support only, Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, broadly
available for download (see links below).

Windows Server 2003 SP2 x86:


http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9

Windows Server 2003 SP2 x64:


http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e

If Kaspersky Endpoint Security for Business 10 SP2 is deployed on Windows File Server such as
Microsoft Windows Server 2012 R2 Standard х64; Microsoft Windows Server 2012 Foundation х64
Microsoft Windows Server 2012 Standard х64; Microsoft Small Business Server 2011 Standard х64
Microsoft Windows Server 2008 R2 Standard х64 SP1; Microsoft Windows Server 2008 R2 Enterprise
х64 SP1; Microsoft Windows Server 2008 Standard х64 SP2; Microsoft Windows Server 2008 Enterprise
х64 SP2, only Firewall, Network Attack Blocker, File Anti-Virus and Application Startup Control are
available. System Watcher and Application Privilege Control are not available for Windows File Server.

If Windows File Server is used as a shared folder or network shared drive, we suggest that you
create separate network folders for each user. Writing permissions should be granted only to the owner
of the folder. Thus, only one network folder will be damaged if a computer is infected. Otherwise, malware
that attacks one computer may affect all shared network folders.

Another way, is including all network drive in the File Anti-Virus scanning.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 19
FOR KASPERSKY SECURITY 10 FOR WINDOWS SERVER (KSWS) INSTALLED ON
WINDOWS SERVER OPERATING SYSTEM
For customers who are running supported versions of the server operating system (Windows Server
2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server
2016) will have received the security update MS17-010 in March. If customers have automatic updates
enabled or have installed the update, they are protected. For other customers, we encourage them to
install the update as soon as possible. The security update MS17-010 can be downloaded from the URL
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Kaspersky Security 10 for Windows Server has server based anti-ransomware solution.
Some hosts inside the security perimeter may use shared SMB/CIFS folders on corporate servers. And
not every host has System Watcher enabled. Some could be even unprotected, or secured by other
software which lacks anti-ransomware functionality.

If this scenario happened, any ransomware/cryptolocker penetrating via email or a vulnerable web
browser will also affect shared folders on corporate servers. Under this scenario, only server-side
security software can defend the data.

Kaspersky Lab anti-ransomware functionality is provided not just for endpoints, but is also for Windows
Servers. Kaspersky Security 10 for Windows Server solution incorporates a new layer of defense,
specifically developed to protect against cryptor threats. Watching over selected data folders – including
file shares, it compares the contents of every file before and after any access attempt. Of course, the
crypto-lockers’ work changes the file contents dramatically – it is encrypted! So this mechanism will almost
invariably detect the presence of ransomware and block its further execution.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 20
The anti-cryptor configuration and setting on Kaspersky Security 10 for Windows Server can be done via
Kaspersky Security 10 for Windows Server local console.

Below is the step by step to do it:

The Anti-Cryptor task blocks access of remote hosts to the server if encryption attempts have been
detected from the host. Untrusted Hosts Blocking blocks access to the server.

To protect shared network resources from encryption, you must run these tasks as follows:

To run the tasks:

1. Open the Kaspersky Security console.


2. Go to Server Control -> Untrusted Hosts Blocking.
3. Click Start.

4. Go to Server Control -> Anti-Cryptor.


5. Click Start.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 21
The Anti-Cryptor task does not block access to remote computer. It only detects encryption attempts and
assigns them as safe or malicious. Information about the computers which are the source of the malicious
activity, is displayed in the task statistics and added to the list of untrusted computers.

The list of untrusted computers is a link between the Anti-Cryptor and Untrusted Hosts Blocking
tasks. The Untrusted Hosts Blocking tasks blocks remote computers which were added to the list of
untrusted computers by Anti-Cryptor.

When malicious activity of the remote host is detected, Kaspersky Security blocks access to shared
network files for this host for 30 minutes by default. You can change the blocking period in the properties
of the Untrusted Hosts Blocking task.

The Anti-Cryptor does not block access to the remote host until its actions are identified as malicious.
This may take some time, which is why the encryption malware may be able to perform its malicious
actions during this time.

If your customer has the KESB Advanced License, the Advance License includes the protection for
Windows Server. That means, the advance license can be used to protect Windows Server Enterprise
using Kaspersky Security 10 for Windows Server.

Do take note that the Anti-Cryptor task in Kaspersky Security 10 for Windows Server is applicable only
to the Windows Server where it is installed. Network Storages(NAS) are not protected from encryption.

FOR KASPERSKY SECURITY 10 FOR WINDOWS SERVER (KSWS) INSTALLED ON


WINDOWS SERVER OPERATING SYSTEM WITH HYPER-V ROLE
Based from the report written by Kaspersky Lab Great Team, Wannacry ransomware is also targeting
desktop virtualization platform(VMWare workstation and VirtualBox) by trying to encrypt .vmx; .vmdk; .vdi
files.

Kaspersky Security 10 for Windows Server with anti-cryptor and untrusted hosts blocking can be installed
on Windows Server with Hyper-V role such as: Windows Hyper-V Server 2012; Windows Hyper-V Server
2012 R2; Windows Hyper-V Server 2016.

FOR KASPERSKY SECURITY FOR VIRTUALIZATION LIGHT AGENT 4.0 PROTECTING


WINDOWS BASED VIRTUAL DESKTOP
If your customer use Kaspersky Security for Virtualization Light Agent 4.0, there are Application Privilege
Control and System Watcher module which can be configured to prevent ransomware.

Below is the example to protect MS Word file document with extension .doc

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 22
The methods to configure Application Privilege Control on KSV Light Agent 4.0 is quite similar with
configuring Application Privilege Control for Kaspersky Endpoint Security for Business and applicable for
the supported Hypervisors such as VMWare vSphere, Microsoft Hyper-V, Citrix Xen and Linux KVM.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 23
FOR KASPERSKY INTERNET SECURITY 2017 (KIS) INSTALLED ON WINDOWS DESKTOP
OPERATING SYSTEM
For those who are using Kaspersky Internet Security 2017 to protect their pc or notebook at home,
Kaspersky Lab also has a solution to prevent ransomware/cryptolocker attack.

Below is some step by step guide that you can follow to configure anti-crypt on KIS 2017:

To reduce the risk of infection by cryptolockers and avoid false positives on installation of applications
and games, Kaspersky Lab specialists recommend to configure Kaspersky Internet Security 2017

1. CREATE A PROTECTED FILE TYPES CATEGORY

1. Open Settings in Kaspersky Internet Security 2017 by clicking the gear icon in the lower-left
corner of the main window.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 24
2. In the Settings window, go to the Protection section and select Application Control in the
right frame.

4. In the Application Control settings window, click Manage resources.

5. In the Manage resources window, the Resources tab, select a folder for a new category.
6. Click Add and select Category.

7. Create the category named Protected file types and click Add.

8. Select the Protected file types category and create several subcategories in it (Documents,
Photos, etc.).

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 25
9. Select the category corresponding to the protected files type (for example, Documents for
files with the *.doc extension), click Add and select a file or folder.
10. Specify the mask for the file type *.<extension>.
11. Click the Add button.

12. Add the rest of file types the same way.


13. In the Manage resources window, click Save.

2. CREATE RULES FOR APPLICATIONS

Configure the access rules for the Protected file types category for applications with high and low
restrictions:

1. Open Settings in Kaspersky Internet Security 2017 by clicking the gear icon in the lower-left
corner of the main window.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 26
2. In the Settings window, go to the General section and clear the check box Perform
recommended actions automatically.

3. In the Settings window, go to the Protection section and select Application Control in the
right frame.

4. In the Application Control settings window, click Manage applications.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 27
5. In the Application management window, select Restrictions.
6. Right-click the Trusted group and select Details and rules.

7. In the Application rules window, go to the Files and system registry tab. Make sure the rule
that allows to read, write, create, and delete is set for the Protected file types resource.
8. Close the Application rules window.

9. Right-click the Low Restricted or High Restricted group and select Details and rules.
10. In the Application rules window, go to the Files and system registry tab. Make sure the Prompt
for action rule is set on sections Read, Write, Create, and Delete for the Protected file types
resource.
11. Close the Application rules window.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 28
3. ENABLE SYSTEM WATCHER

The System Watcher component in Kaspersky Internet Security 2017 collects data about actions
performed by applications on your computer and shares this information with other components for
improved protection. Make sure the System Watcher component is enabled and configure it. So that when
Kaspersky Internet Security 2017 detects the start of the file-encrypting malware activity, it terminates the
process. The file from which the process was run is sent to Quarantine

4. ADJUST THE FIREWALL SETTINGS

All network connections on your computer are monitored by Firewall. Firewall assigns a specific status
to each connection and applies packet and network rules for filtering network activity depending on that
status. Using the Firewall, block the Internet access to Low Restricted, High Restricted, and Untrusted
applications. This will not allow file-encrypting malware receive unique encryption keys from the
Internet, therefore they will not be able to encrypt files.

WORDS OF PRECAUTION
Although Wannacry ransomware is targeting vulnerable SMB on Windows platform and the spreading
can be minimized and prevented by configuring System Watcher and Application Privilege Control,
however Kaspersky Lab recommend to all of Kaspersky Endpoint Security and Kaspersky Internet
Security users to enable other protection modules such as: Automatic Exploit Prevention, Application
Startup Control, Firewall, Web Control, Device Control, Mail Control etc to maximize the protection on the
Endpoint and Server level.

By enabling other protection modules, it would minimize the propagation of new variant of
ransomware/cryptolocker which would be using other propagation methods such as infected URLs,
infected attachment in email etc. Enabling Kaspersky Security Network is also highly recommended.

In a conclusion, security is a continuous process which is also involving people and technology.
Technology alone is not able to defend cyber attacks.

In fact, the overall security infrastructure need to be configured in such a way, from the network perimeter,
server, storage, endpoint – desktop/notebook/mobile/virtual machine(which are protected by Kaspersky
Lab technologies) and operating system level such as Windows Platform. Configuring Active Directory in
a proper way would also help to minimize the ransomware propagation. Educating the users as well as
enforcing the secure policy through all organization would also help to minimize the risk of future
ransomware and other cyber attacks.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 29
Although vulnerable/unpatched SMB is the root cause for Wannacry ransomware to penetrate
company/organization network, we will need to choose the neutral way to minimize/mitigate the risk and
attack with the minimum business impact. Disabling SMB on Windows Platform might have advantages
and disadvantages of overall infrastructure and business operation of company/organization. Patching
SMB using the patch released by Microsoft and do other task preventions would minimize the the risk of
future cyber attacks.

For company/organization who purchased Kaspersky Endpoint Security for Business Advanced License,
you can enable Vulnerability & Patch Management as well as Software Updates features by using
Kaspersky Security Center as Windows Server Update Service , which would automate of downloading
and installing the patches of vulnerable software application(s) to the endpoints.

WANNACRY RANSOMWARE REPORT & MITIGATION

Page 30

You might also like