WannaCrypt Ransomeware Customer Guidance

Slides:



Advertisements
Similar presentations
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Advertisements

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
No.24 Prerawat Denvutivorkarn M.2/2. Definition: "antivirus" is protective software designed to defend your computer against malicious software. Malicious.
1 Computer Security: Protect your PC and Protect Yourself.
IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Raven Services Update December 2003 David Wallis Senior Systems Consultant Raven Computers Ltd.
COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.
Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.
The Microsoft Baseline Security Analyzer A practical look….
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Jeny Carrasco and Jai Nayar English 393 Process Manual Assignment 12/08/04 McAfee 7.1 Process Manual.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Understand Malware LESSON Security Fundamentals.
©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
CACI Proprietary Information | Date 1 PD² v4.2 Increment 2 SR13 and FPDS Engine v3.5 Database Upgrade Name: Semarria Rosemond Title: Systems Analyst, Lead.
R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING CAMPAIGNS,
In an increasingly competitive industry is certified by a recognized provider as Microsoft exam will dramatically improve your chances busy. Microsoft.
Protecting Against Cyber Attacks PLEASE TAKE A MINUTE TO LOOK AT THIS IMPORTANT MESSAGE. THIS IS HAPPENING HERE AND NOW! LET US SAVE YOU AND YOUR INFORMATION.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Latest Issues Related To The AVG Antivirus 2017
Windows Tutorial 5 Protecting Your Computer
Intercept X Early Access Program Sophos Tester
WannaCry/WannaCrypt Ransomware
CISOs Guide To Communicating WNCRY.
Ted Allen Rotary May 17, 2017 WannaCry Ransomware Ted Allen Rotary May 17, 2017.
WannaCry/WannaCrypt Ransomware
Shadow Brokers – Details on Leaked Cyberintelligence Tools and Vulnerabilities A brief research note for Info-Tech’s members.
Lesson 19: Configuring and Managing Updates
Follow-up issues from the presentation on Anti-virus / Security software TD & SD have encountered problems with AVG, which also is not rated highly in.
Managing Windows Security
Three steps to prevent Malware infection
Ilija Jovičić Sophos Consultant.
(ZCO) ZIMBRA Connector for Outlook User Manual
Threat Management Gateway
How to Patch Norton Antivirus?
Services Course 9/9/2018 3:37 PM Services Course Windows Live SkyDrive Participant Guide © 2008 Microsoft Corporation. All rights reserved.
How to Fix Trojan.Poweliks Using Norton Antivirus?
Microsoft’s Security Strategy
Microsoft FrontPage 2003 Illustrated Complete
Fix Microsoft Office Error 1325 Call Support Number
Fix Microsoft Office Error Code Call
A Trojan is a computer program that contains the malicious code and it misleads users and user's computer. It aims to designed to perform something is.
Volume Licensing Download Center
How to Turn off Norton Antivirus firewall. The Norton firewall is necessary as it keeps a check on the internet activities to ensure the safety of the.
Intercept X for Server Early Access Program Sophos Tester
Cybersecurity Strategy
Microsoft Virtual Academy
Microsoft Virtual Academy
Microsoft Virtual Academy
Severity and Exploitability Index
CSCD 434 Spring 2019 Lecture 10 Attacks for Profit Ransomeware 1.
Microsoft Virtual Academy
Using Software Restriction Policies
Cybersecurity Simplified: Ransomware
Microsoft Virtual Academy
Presentation transcript:

WannaCrypt Ransomeware Customer Guidance 10/19/2017 2:27 PM WannaCrypt Ransomeware Customer Guidance Microsoft © Microsoft Corporation. All rights reserved.

Overview of WannaCrypt 10/19/2017 2:27 PM Overview of WannaCrypt A large Ransomware campaign across the world Attack is using a vulnerability fixed in March 2017 Security Update (MS17-010, SMBv1) Microsoft recommends: Confirm the install of the security update on all systems Ensure anti-malware products are up-to-date Disable SMBv1 if the security update cannot be installed immediately Reference: Microsoft Security Response Center Blog Customer Guidance for WannaCrypt Attacks https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ © Microsoft Corporation. All rights reserved.

What WannaCrypt does Infect Encrypt Spread Runs Attack if MS17-010 is not installed [ETERNALBLUE] Installs Trojan if attack is successful [DOUBLEPULSAR] Encrypt Encrypts 179 file types Shows the message and demand for payment using bitcoin. Spread Scans the local LAN and wider internet for port 445 Attempt to infect on open ports

Affected Environment All Windows version Office 365 and Azure 10/19/2017 2:27 PM Affected Environment All Windows version Office 365 and Azure We are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt.​ PaaS VMs are updated by Microsoft and includes recent security patches https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-msrc-releases © Microsoft Corporation. All rights reserved.

Recommended Actions - Prevention (1) Keep systems up-to-date Ensure Microsoft Security Bulletin MS17-010 Security Update for Microsoft Windows SMB Server is installed Supported versions Windows Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016 Security Update MS17-010 has been published in March Out of Support Products Windows XP SP3, Windows 8, and Windows Server 2003 SP2 Download the security update from Windows Update

Recommended Actions - Prevention If one of these updates is installed on the system, the system is protected. the vulnerability was fixed in March 2017 Security update. March, April and May rollup also includes all previous updates including March security update) OS 2017 Mar (Security Only) (Monthly Quality) 2017 Apr 2017 May Independent Update Windows XP / Windows Server 2003 / Windows 8 NA KB4012598 Windows Vista / Windows Server 2008 Windows 7 / Windows Server 2008 R2 KB4012212 KB4012215 KB4015549 KB4019264 Windows Server 2012 KB4012214 KB4012217 KB4015551 KB4019216 Windows 8.1 / Windows Server 2012 R2 KB4012213 KB4012216 KB4015550 KB4019215 Windows 10 1507 / Windows 10 LTSB 2015 KB4012606 KB4015221 KB4019474 Windows 10 1511 KB4013198 KB4015219 KB4019473 Windows 10 1607 / Windows 10 LTSB 2016 / Windows Server 2016 KB4015438 KB4015217 KB4019472

Link to Windows Update (out-of-support products) Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86,Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86,Windows 8 x64 Download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Recommended Actions - Prevention How can I find out if the Security Update is installed or not? You can run the script to find if necessary update has been installed or not. Script wmic qfe list | find "KBnumber“ (Example )Windows 8.1 / Windows Server 2012 R2 wmic qfe list | find "KB4012213" wmic qfe list | find "KB4012216" wmic qfe list | find "KB4015550" wmic qfe list | find "KB4019215" Output http://support.microsoft.com/?kbid=4015550 TESTPC01 Security Update KB4015550 NT AUTHORITY\SYSTEM 4/12/2017

Recommended Actions - Prevention (2) Keep the Anti-malware signature is up-to-date. Windows Defender, System Center Endpoint Protection, and Forefront Endpoint Protection detect this threat family as Ransom:Win32/WannaCrypt. In addition, the free Microsoft Safety Scanner http://www.microsoft.com/security/scanner/ is designed to detect this threat as well as many others.

Recommended Actions - Prevention (3) Implement mitigation (if security update cannot be installed immediately) Disable SMBv1 Windows Vista and later See Microsoft Knowledge Base Article 2696547 Windows 8.1 or Windows Server 2012 R2 and later For client operating systems: Open Control Panel, click Programs, and then click Turn Windows features on or off. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window. Restart the system. For server operating systems: Open Server Manager and then click the Manage menu and select Remove Roles and Features. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.

Recommended Actions - Prevention Impact of mitigation The SMBv1 protocol will be disabled on the target system. SMB1 is very old technology. Some legacy system that rely only on SMB1 will be impacted. See more at https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/ How to undo the workaround Retrace the workaround steps, and select the SMB1.0/CIFS File Sharing Support check box to restore the SMB1.0/CIFS File Sharing Support feature to an active state.

Recommended Actions - If affected Call Microsoft Support. Customers who believe they are affected can contact Customer Service and Support by using any method found at this location: https://support.microsoft.com/gp/contactus81?Audience=Commercial. Clean up your machine and Recover the system. Please see the steps in the following articles. https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/ https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx Submit New Sample. If you feel you have detected a new threat, sample, please retrieve a sample of the malware and send it to the Microsoft Malware Protection Team https://www.microsoft.com/en-us/security/portal/submission/submit.aspx

Timeline of related events Aug. 2016 Shadow Broker emerged. Auctions NSA Attacks Claim to hack Equation Group, author of Stuxnet & Flame Auction includes weaponizable codes with 0-day exploits & trojans Sep. 2016 Microsoft released blog to encourage users to stop using SMB1 https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ Mar. 2017 Microsoft released the Security Update for MS17-010 to fix SMB1 vulnerability Apr. 2017 Shadow Broker Releases throve of NSA Attacks Includes exploits against SMB (Eternal Blue) and Trojan Code (Double Pulsar) Microsoft releases advisory that no new vulnerabilities in SB release May. 2017 WannaCrypt complain has begun Attacker (unknown) turns NSA attack codes with Ransomware Payload, demands USD300-600 ransom Microsoft released the customer guidance and the security update for out-of-support products (Windows XP, Windows 8 & Server 2003)

Resources Microsoft Guidance for WannaCrypt https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Microsoft Malware Prevention Center Technical Details about the ransomware worm https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ MS17-010 Update Catalogue http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

FAQs Q. Is Windows XP Embedded affected? A. there is a vulnerability in XP Embedded and security update is available. Q. Is Windows Phone affected? A. No. Windows Phone is not affected Q. Can we distribute the security update for out-of-support using WSUS/SCCM? A. Yes. You can manually download the security update and sync with WSUS/SCCM. Please see more at: https://technet.microsoft.com/en-us/library/bb680473.aspx Q. Any security update for Windows Server 2003 RTM, SP1? A. We only offer the security updates for latest SP. For Windows Server 2003, we only offer update for Windows Server 2003 SP2.

10/19/2017 2:27 PM © Microsoft Corporation. All rights reserved.