h1 class = “heading1-blue”> Ransomware Explosion, Vulnerabilities Already Known </ h1>
p class = “lead”> Wannacry has already claimed 200,000 lives in 150 countries by exploiting a Windows system vulnerability on all versions from XP to Windows 10. Preventive countermeasures are easy to implement start by updating security patches and antivirus on workstations and servers.</ p>
div class = “col-lg-12 collar-md-12 collar-sm-12 collar-xs-12″>
Although Jaguar Network has not been touched by Wannacry, many variants (without kill switch , …) already exist and it seemed important to us to make a point of information.
At Jaguar Network, various audits have been launched since April 27th on most clients and we have been able to communicate on the most at risk platforms. You will find below a summary of the information on the subject.
h3> // The virus – </ strong> WannaCrypt! </ strong> </ h3>
Wannacrypt encrypts the data. In general, this type of virus does not spread quickly but allied to exploiting a flaw SMB (Server Message Block protocol) filled in March, it spreads very fast.
Vector of contamination? </ strong>
Mostly the first contamination goes through the email. However, once infected, the virus will test the flaw on reachable OS after testing a URL on the Internet.
If the site is not reachable, the virus begins to test the PCs in its network.
What is encrypted? </ strong>
All accessible directories (my documents, network drives, etc …)
Which OS are affected? </ strong>
All OS up to 2012 R2 and Windows 8.1 included.
Microsoft made the decision to provide patches for Windows XP, Windows 8 and Windows 2003 Server.
You’ll find them </ strong> HERE . </ strong>
Windows 2000 Server is also affected but no patch will be provided. If you still have some in production, so isolate them.
We do not provide any patch for Windows CE (it is provided by the device manufacturer).
Make sure the antivirus is up to date on all the posts and servers </ strong>
It is also possible to set up verification scripts </ strong> to ensure that the security KB have been installed (contact us via your extranet account).
Security KB lists to check on your servers: </ strong>
# KB4012212 </ strong> – Windows Server 2008
# KB4012217 KB4015551 KB4019216 </ strong> – Windows Server 2012
# KB4012216 KB4015550 KB4019215 </ strong> – Windows Server 2012 R2
# KB4013429 KB4019472 KB4015217 KB4015438 KB4016635 </ strong> – Windows Server 2016.
// What are the additional measures to prevent spread? </ strong> </ h3>
File servers are the weak spots on this type of virus. If a user has read / write rights to a shared directory, the contamination of his or her workstation could make the entire shared directory tree encrypted. </ Strong>
& Gt; To prevent this while waiting for the patching of servers and workstations, one of the possible measures is to stop sharing on file servers. Think of preferring a temporary stop of service rather than taking the risk of having all its encrypted files. This must remain an option to study.
& gt; It is possible to stop the SMB V1 </ strong> by GPO, the fault being specific to SMB V1.
However, this protocol is still active on many devices (NAS, Switch, etc …),
which could make them inaccessible.
h3> // All additional information on WannaCrypt </ strong> </ h3>
Customer Guidance for WannaCrypt attacks
WannaCrypt ransomware worm targets out-of-date systems