Excerpt from BankInfoSecurity. Copyright BankInfoSecurity, ALL RIGHTS RESERVED
NB: Ultimately you do not want to block the domain, as the malware used as a check for whether it was installed on a legitimate endpoint
Computer emergency response teams and security experts say there are five essential WannaCry mitigations that all firms should now have in place:
- Install MS17-010: One way the SMB flaw – targeted to install WannaCry ransomware – can be fixed is for organizations and individuals to install the MS17-010 fix issued by Microsoft in March. “It is critical that you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks,” security firm Malwarebytes warns in a technical analysis of the attacks.
- Install emergency Windows patch: In an unusual move, Microsoft has issued one-off security fixes for three operating systems that it no longer supports: Windows XP, Windows Server 2003 and Windows 8.
- Disable SMBv1: NCSC says that “if it is not possible to apply [either] patch, disable SMBv1,” and it refers to guidance from Microsoft for doing so.
- Block SMBv1: Alternately, or in addition, “block SMBv1 ports on network devices” – UDP 137, 138 and TCP 139, 445 – NCSC recommends.
- Shut down: As a last resort, if none of those options are available, it recommends literally pulling the plug. “If these steps are not possible, propagation can be prevented by shutting down vulnerable systems,” NCSC says.
Spain’s computer emergency response team has also developed and released scripts that can prevent WannaCry from executing on a system, according to Europol’s European Cybercrime Center.