Submit a ticketCall us

WebinarUpcoming Webinar: Know What’s Changed – with NEW Server Configuration Monitor

Change management in IT is critical. But, even with a good change management process, changes are too often not correctly tracked, if at all. The configuration of your servers and applications is a key factor in their performance, availability, and security. Many incidents can be tracked back to an authorized (and sometimes unauthorized) configuration change, whether to a system file, configuration file, or Windows® Registry entry. Join SolarWinds VP of product management Brandon Shopp to discover how the new SolarWinds® Server Configuration Monitor is designed to help you.

Register now.

Home > Success Center > Network Performance Monitor (NPM) > Check for WannaCry ransomware / WannaCrypt attacks

Check for WannaCry ransomware / WannaCrypt attacks

Updated: June 20, 2017

Overview

On May 12, 2017 a large cyber-attack using the WannaCry ransomware (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) was launched. Over 230,000 computers in 150 countries were infected, and ransom payments in the cryptocurrency bitcoin were demanded. The attack spreads by multiple methods, such as phishing emails or a computer worm on unpatched systems. See WannaCry ransomware attack on wikipedia  ((cc) 2017 Wikipedia, available at https://en.wikipedia.org/wiki/WannaCry_ransomware_attack, obtained on May 15, 2017) .

Monitor your application ports with SolarWinds NetFlow Traffic Analyzer (NTA) to ensure your environment is safe from  malicious infection.

Environment

  • Any OS/ Enviroment using SMBv1 protocol

Detail

Consider the following actions to verify that your system has not been infected:

  1. Check your network for any SMBv1 activity. Consider disabling SMBv1 or deploy Security Update for Microsoft Windows SMB Server (4013389) (© 2017 Microsoft, available at https://support.microsoft.com/en-sg/help/4012598/title, obtained on May 15, 2017)at http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598, obtained on May 15, 2017).
  2. Please note, we have seen recently issues for solarwinds core based products after these windows updates have been applied See this article for more details.
  3. Watch out for any increase in file renames.

Microsoft provided patches even for older OS's, such as XP, 2003. See the MS17-010 KB by Microsoft, and the catalog of patched OS's  (© 2017 Microsoft, available at https://support.microsoft.com/en-sg/help/4012598/title, obtained on May 15, 2017).

 

1. Troubleshoot with SolarWinds NetFlow Traffic Analyzer (NTA)

Use NTA to monitor the traffic passing through suspicious ports, such as the NETBIOS port and port 445 Microsoft-DS.

  1. Log in to the Orion Web Console, and click My Dashboards > NetFlow > NTA Summary.
  2. In Top 10 Applications, monitor the traffic passing through the following ports:
  • 445
  • 137
  • 139

If there is high traffic, audit the end hosts for activity within your organization.

See Top 10 Applications on our demo: http://oriondemo.solarwinds.com/Orio...mmaryView.aspx

 

2. Configure SolarWinds Log & Event Manager (LEM) to detect change in file extension

 

WannaCry ransomware encrypts the user data and renamed with .wncry extension.
Configure SolarWinds Log & Event Manager (LEM) File Integrity Monitoring to notify when files are modified, moving of files and group ownership is changed is vital to help protect your businesses information.. All affected data is renamed with the .wncry file extension.

3. Report a list of vulnerable (unpatched Microsoft security patch MS17-010) in your organisation with SolarWinds Patch Manager

  1. Perform a gap assessment by using Solarwinds Patch Manager to  generate a Wannacrypt report on your organisation's Windows infrastructure and end user machine. Check which machines are patched with the Microsoft security patch (MS17-010) and a list of machines which are not patched. These are the vulnerable machine which needs the highest patching priority. 

4. Deploy the Microsoft security patch MS17-010 in your organisation with SolarWinds Patch Manager

  1. Once you have generated a list of unpatched and  vulnerable machines, the next step would be to deploy the security patch in your organisation with SolarWinds Patch Manger.

 

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

 

Last modified

Tags

Classifications

Public