Active ransomware campaign - install Windows updates immediately

Cases of the WanaCrypt0r ransomware have also been detected in Finland. The ransomware spreads very aggressively in the internal network of an organisation if the security patches for the vulnerabilities exploited by the ransomware have not been installed. To protect against this ransomware epidemic, Microsoft has released important security updates for older system versions, including Windows XP.

The WanaCrypt0r ransomware campaign, which started on 12 May, has reached Finland as well. The ransomware is apparently delivered as email attachments. Once the first workstation is infected, the ransomware spreads aggressively in the local network through the SMB vulnerability which Microsoft patched in March. It is important that organisations install updates during the weekend to prevent the ransomware from spreading via emails.

The ransomware may be detected by looking for unusual SMB traffic on TCP port 445 within and from the local network. At the moment, there is no detailed information on the emails used to spread the ransomware. Please report any emails found to contain the WanaCrypt0r ransomware to the NCSC-FI.

Update on 15 May 2017

At the moment, there is no evidence of the malware spreading through a vulnerability in Microsoft Office or malicious emails.

Target group of the alert

  • Administrators of Microsoft Windows workstations and servers

Possible solutions and restrictive measures

  • Install all available security patches for all Microsoft Windows workstations and servers as soon as possible, including the updates released on Tuesday, 9 May 2017. It seems that the ransomware does not activate and cannot spread in the internal network of an organisation if all updated have been appropriately installed.
    Microsoft has also released updates for the SMB vulnerability patched in March for unsupported versions of Windows, including Windows XP. We recommend installing this update immediately.
  • Reliable and tested backups are an effective way to recover from ransomware.

Updated 16.5. time 15:00:

If it is not possible to update, you can disable SMB v1 on the vulnerable computer.

We recommend that you block traffic on port 445 (SMB) at the organisation firewall. WanaCrypt0r spreads by exploiting a vulnerability in the SMB protocol.

Further information

  • WanaCrypt0r ransomware detected across Europe
  • https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Update history

Key words: Information security , Internet , Malware , Alerts

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248