We have been offered advise from our Security partners Dell SecureWorks outlining that their Counter Threat Unit (CTU) researchers are continuing to investigate the widespread outbreak of WCry (also known as WannaCry/WanaCryptor) ransomware.
In the May 12, 2017 wave of attacks, WCry was delivered to victims` computers with an SMB worm component that attempted to spread to other computers on the network. This functionality leveraged the EternalBlue exploit leaked by The Shadow Brokers threat group in April 2017. The vulnerability was addressed as part of Microsoft Security Bulletin MS17-010, released on March 14, 2017.
As a result of the large amount of media attention and active attacks, Microsoft took the unusual step of releasing a security update for Windows XP, Windows Server 2003, and Windows 8. Windows XP and Windows Server 2003 are no longer supported operating systems and do not normally receive security updates after their end-of-life date. Microsoft also updated Windows Defender detections for WCry. Security updates can be downloaded at:
The network propagation of this worm underscores the importance of a robust vulnerability management plan. Organizations that had already applied this patch were not vulnerable to the SMB worm used to spread WCry. In environments where this patch cannot be applied, CTU researchers strongly recommend that clients consider disabling SMBv1 support. Further guidance on disabling SMBv1 can be found at the following URL:
Even organizations that have applied this patch or implemented other mitigations may want to disable SMBv1 if it not needed. As Microsoft noted, some of the observed WCry attacks used common phishing tactics and a malicious attachment sent to the victim. As one of the primary initial access vectors, CTU researchers also recommend that clients evaluate email security controls for potential improvements. Informing personnel on these and similar attacks can help them understand the importance of avoiding unsolicited email messages with attachments, malicious links and documents with malicious macros.