IBM Support

IBM Security X-Force Exchange recommendations on the WannaCry Ransomware exploit

Technote (FAQ)


Question

What are the recommendations to help mitigate the WannaCry exploit?

Cause

On May 12th, 2017 at approximately 10:30 AM Eastern Time, the X-Force Threat Research team was made aware of a large-scale cyber attack taking place in Europe. A number of major companies have been affected, and the campaign has been identified as a version of WannaCry (WCry 2). Current research shows that this is ransomware being distributed through a spreader finding and infecting vulnerable smbv1 boxes utilizing a SMB exploit (MS17-010).

Answer

Research is actively investigating this activity and currently recommends that clients ensure that they are patched for the MS17-010 vulnerability, and ensure that your anti-virus signatures are up to date.

IBM X-Force has raised the global threat level to AlertCon 3, and continues to research this threat and update the below collection as new information becomes available. Additional notifications will be sent as more information becomes available.

We suggest the following:

  1. ​Ensure that their systems are patched (MS17-010) and that their anti-virus signatures are up to date.
  2. Follow the updates on X-Force Exchange https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729
  3. Refer to X-Force Ransomware Response Guide to evaluate organizational readiness http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03095USEN

X-Force Recommendations:
  • Clients should ensure that they are patched on MS17-010.
  • Disable the outdated protocol SMBv1
  • Isolate unpatched systems from the larger network
  • Should you be impacted, clients can call X-Force Hotline for immediate help. USA +1 888 241 9812, Global +1 312 212 8034

Notes:
  • X-Force Exchange link has lot of information about this attack, recommendations for you, snorts rules, and PAM signature SMB_EternalBlue_Implant_CnC .
  • The PAM signature SMB_EternalBlue_Implant_CnC was added in XPU 37.041. By default, this signature drops packets and blocks connections. Additionally, when SiteProtector is part of the environment, you will have to update the Database component to the latest XPU so you can see the new signature in the IPS policy configurations options.
  • X-Force research team is continuously reviewing this and will be updating more information.

Keep tracking the updates here:

https://exchange.xforce.ibmcloud.com/collection/WCry2-Ransomware-Outbreak-8b186bc4459380a5606c322ee20c7729




Related information


Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security Network Protection Firmware 5.3, 5.3.1, 5.3.2, 5.3.3
Security IBM Security SiteProtector System Windows 3.0, 3.1.1

Document information

More support for: IBM X-Force Exchange

Software version: Version Independent

Operating system(s): Platform Independent

Reference #: 2003435

Modified date: 15 May 2017


Translate this page: