WannaCry Ransomware
Summary
Systems Affected: Microsoft Windows operating systems
CVE-2017-0144
Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails.
Unaffected Quantum Products
The following Quantum products are known to be unaffected by the WannaCry vulnerability.
- DXi
- Scalar Key Manager
- Scalar Tape Libraries
- Scalar LTFS
- SuperLoader 3
- StorNext Q-series QD/QS/QSX
- Lattus (C5, A10, S10, S20, S30)
- LTO Drives
- StorNext Software
- StorNext Appliances
- Vision
- vmPRO
Vulnerable Quantum Products
Versions of the following Quantum products are known to be vulnerable to WannaCry.
- Xcellis Application Director
Xcellis Application Director is running Windows 2012R2. Customer is responsible for administration of Windows OS and any related Video Security Application installed. As such customer is responsible for updating Windows OS to latest patches and backing up the system.
Impact
Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including:
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.
Solution
- Recommended Steps for Prevention
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
- Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
- Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Have regular penetration tests run against the network. No less than once a year, but ideally, as often as possible/practical.
- Test your backups to ensure they work correctly upon use.
References
- https://www.us-cert.gov/ncas/alerts/TA17-132A
- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01
- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01E
Contact Information
In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 324 185. You will need your system serial number. For additional contact information, go to http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support