Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Network Performance Monitor (NPM) > Check for WannaCry ransomware / WannaCrypt attacks

Check for WannaCry ransomware / WannaCrypt attacks

Updated: June 20, 2017

Overview

On May 12, 2017 a large cyber-attack using the WannaCry ransomware (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) was launched. Over 230,000 computers in 150 countries were infected, and ransom payments in the cryptocurrency bitcoin were demanded. The attack spreads by multiple methods, such as phishing emails or a computer worm on unpatched systems. See WannaCry ransomware attack on wikipedia  ((cc) 2017 Wikipedia, available at https://en.wikipedia.org/wiki/WannaCry_ransomware_attack, obtained on May 15, 2017) .

Monitor your application ports with SolarWinds NetFlow Traffic Analyzer (NTA) to ensure your environment is safe from  malicious infection.

Environment

  • Any OS/ Enviroment using SMBv1 protocol

Detail

Consider the following actions to verify that your system has not been infected:

  1. Check your network for any SMBv1 activity. Consider disabling SMBv1 or deploy Security Update for Microsoft Windows SMB Server (4013389) (© 2017 Microsoft, available at https://support.microsoft.com/en-sg/help/4012598/title, obtained on May 15, 2017)at http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598, obtained on May 15, 2017).
  2. Please note, we have seen recently issues for solarwinds core based products after these windows updates have been applied See this article for more details: 
  3. Watch out for any increase in file renames.

Microsoft provided patches even for older OS's, such as XP, 2003. See the MS17-010 KB by Microsoft, and the catalog of patched OS's  (© 2017 Microsoft, available at https://support.microsoft.com/en-sg/help/4012598/title, obtained on May 15, 2017).

 

1. Troubleshoot with SolarWinds NetFlow Traffic Analyzer (NTA)

Use NTA to monitor the traffic passing through suspicious ports, such as the NETBIOS port and port 445 Microsoft-DS.

  1. Log in to the Orion Web Console, and click My Dashboards > NetFlow > NTA Summary.
  2. In Top 10 Applications, monitor the traffic passing through the following ports:
  • 445
  • 137
  • 139

If there is high traffic, audit the end hosts for activity within your organization.

See Top 10 Applications on our demo: http://oriondemo.solarwinds.com/Orio...mmaryView.aspx

 

2. Configure SolarWinds Log & Event Manager (LEM) to detect change in file extension

 

WannaCry ransomware encrypts the user data and renamed with .wncry extension.
Configure SolarWinds Log & Event Manager (LEM) File Integrity Monitoring to notify when files are modified, moving of files and group ownership is changed is vital to help protect your businesses information.. All affected data is renamed with the .wncry file extension.

3. Report a list of vulnerable (unpatched Microsoft security patch MS17-010) in your organisation with SolarWinds Patch Manager

  1. Perform a gap assessment by using Solarwinds Patch Manager to  generate a Wannacrypt report on your organisation's Windows infrastructure and end user machine. Check which machines are patched with the Microsoft security patch (MS17-010) and a list of machines which are not patched. These are the vulnerable machine which needs the highest patching priority. 

4. Deploy the Microsoft security patch MS17-010 in your organisation with SolarWinds Patch Manager

  1. Once you have generated a list of unpatched and  vulnerable machines, the next step would be to deploy the security patch in your organisation with SolarWinds Patch Manger.

 

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

 

 

Last modified
06:23, 20 Jun 2017

Tags

Classifications

Public