Ransomeware Attack Affecting Windows Systems

Ransomeware Attack Affecting Windows Systems

Ransomware Attack Affecting Windows Systems

Date Published: May 12, 2017

• Ransomware
• Alert
• Vulnerability
• Windows

This is an alert of a ransomware attack that affects Windows systems, blocking the access to the files (on hard disks drives and on network connected computers). The main issues of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar, which can infect other connected Windows systems on the same network which are not properly updated. Infection of a single computer can compromise an entire corporate network.

The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is then distributed to other Windows machines in the same network.

The affected systems which require a security update are:

Microsoft Windows Vista SP2
Windows Server 2008 SP2 and R2 SP1
Windows 7
Windows 8.1
Windows RT 8.1
Windows Server 2012 and R2
Windows 10
Windows Server 2016
Prevention and mitigation measures

The TT-CSIRT recommends the following:

• Update systems to latest version or patch as reported by manufacturer
• For systems without support or patch it is recommended to isolate from the network or turn off as appropriate.
• Isolate communication to ports 137 and 138 UDP and ports 139 and 445 TCP in organizations’ networks.
• Discover which systems, within your network, can be susceptible to attack through the vulnerability of Windows, in which case, can be isolated, updated and / or shut down.

The TT-CSRT has a

Mitigation Guide

against ransomware, which includes general guidelines and recommendations, and which details the steps of the disinfection process and the main tools of recovery of the files, in this type of attacks.

As stated in the threat report on ransomware, making the payment for the rescue of the equipment does not guarantee that the attackers send the decryption utility and / or password, only rewards their campaign and motivates them to continue massively distributing this type of harmful code.

In the event your system has been affected and you did not have backups, it is recommended to keep the files that had been encrypted by the ransomware before disinfecting the machine, since it is may be possible that in the future a tool may appear, which would allow you to decipher the documents which would have been affected.

TT-CSIRT (05/12/2017)