RM Home
Support
Sections
My Support Calls
Search Library
Drivers and Downloads
Guide to Support Online
FAQs
Events
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

RM advice following the WannaCry & Petya Ransomware outbreaks
Published Date : 14 May 2017   Last Updated : 14 Jun 2018   Content Ref: NWS5696059  




Please be informed that Microsoft ceased general servicing of Windows 10 v1511 on 10 October 2017.  Microsoft subsequently announced a supplemental servicing package for Education and Enterprise editions, until April 2018. If you have not already done so, we recommend you update to the latest available serviced edition of Windows 10 (CC4 customers can find this in the Downloads section of their MyAccount area on rm.com).

Protecting yourself from virus infection by making sure your network is up to date with security updates and software patches is the key to stop outbreaks of Ransomware. However, due to the constant and ever changing nature of these threats, we highly recommend that you ensure your backups are current, verified and tested as, in the event of an infection, a good backup of your systems will be needed to recover your network.


Background

Petya re-emergence (January 2018)
We are aware of a re-emergence of the exploits behind the Petya ransomware. Do ensure that your network is adequately patched as per this article and that your local WSUS (for example, if you have a CC4 network) is working correctly. The patches released in 2017 for the initial outbreak will still protect you against this re-emergence if they are installed.

Petya (27 June 2017 outbreak)
A new ransomware attack has been reported over the last day or so, which still exploits the SMBv1 vulnerability that the WannaCry outbreak used (more detail on this can be found towards the end of this article).

WannaCry (12 May 2017 outbreak)
As you will have seen from media reports there was a significant global outbreak of Ransomware over the weekend of 12th May, causing severe outages - most notably in the NHS.

The initial outbreak has slowed down after the discovery of a kill switch, whilst this halted the initial version of the Ransomware, it is expected that this will be circumvented quickly and a new strain of the Ransomware could be released at any time. For this reason we recommend that you take urgent action to prevent infection.


Technical detail

Both of these Ransomware exploits a recently discovered vulnerability in the SMB protocol used by Microsoft® operating systems to access files across a network (shared drives, home folders etc.).

The vulnerability can be removed by applying the patch MS17-010 to all versions of Microsoft Server and client operating systems.

This patch has been tested and validated for Community Connect® 4 (CC4) networks by RM.


Action required for all CC4 servers

CC4, by default, has its Windows® updates automatically installed on your servers and computers after we perform the testing of them for you each month. If you have re-configured WSUS away from this default, you should confirm you have approved these updates.

Even with this automatic process, we still strongly recommend that you confirm MS17-010 has been installed on all of your servers. To check this:

  1. Log on to your CC4 First server as a Windows administrator user.
  2. Click Start, Run, type appwiz.cpl and press Enter. The 'Programs and Features' window opens.
  3. In the left-hand pane, click 'View installed updates'.
  4. Scroll down (or search) and verify that the appropriate update is shown as installed (as per the table below). If this is not present, then follow the 'Manually installing this update' section below.
  5. Repeat for all of your servers.

Note: The servers will need to be rebooted immediately once this update has been installed.

Operating system

KB to check

Windows Server 2008

KB4012598

Windows Server 2008R2 and Windows 7

KB4012212

Windows Server 2012

KB4012214

Windows Server 2012R2 and Windows 8.1

KB4012213

Windows Server 2016

KB4013429

Note: If you have been installing the monthly security and quality rollups for Windows Server 2008R2/2012/2012R2, then this fix is included in the March, April and May updates.

Additional steps you may need to follow

We also recommend that you check through the steps below as you may have servers that are waiting on a reboot (from previous Windows Updates) and thus will not be in a position to patch against this vulnerability.

  1. On the server, check in Windows Update to see if the server is pending a reboot. (Click Start and type Windows Update in the Control Panel window that is displayed, click 'Check for Updates'. If you see 'You'll need to restart your PC to finish installing previous updates' or the Windows Update button shows Restart Now, then reboot.)
  2. If it does need a reboot then do this first.
  3. Now open the RMMC (as a SystemAdmin user) and then expand Software, Windows Updates.
  4. Click your CC4 First server below this, then click the button Synchronise Now and wait for that to complete.
  5. When this has finished, open a CMD window and enter the command: wuauclt /updatenow
  6. Now check in Windows Update again and reboot if prompted to do so (follow step 1 again).
  7. Repeat steps 1-6 for all of your servers.
  8. Finally log on to the RMMC again and expand Tasks, Scheduled. Ensure that both the 'Show other user's tasks' and 'Include system tasks' boxes are ticked. Now right-click the task 'Install WSUS updates' and select Run Now. This will ensure that your computers are prompted to check in with WSUS. If this option is greyed out complete the steps below:
    1. Expand Windows Updates and select your CC4 First server again, click the Settings button.
    2. From the window that appears, ensure that the Scheduling tab is selected. Amend the Installation Schedule to start the task in the near future and click OK.

Manually installing this update

Using the link for MS17-010, use the Microsoft Update Catalog to download the individual update for your server operating system and manually install this. You can also use this method if you wish to verify that your server is patched.

More information

Please see this blog entry, this also contains the links to Windows Server 2003 and Windows XP versions of this fix.


Action required for CC4 computers

Note: The June Windows 10 Microsoft cumulative security updates - KB4022715 for v1607 and KB4022714 for v1511 have been approved via RM WSUS (as will subsequent monthly security updates) - so these should supersede the packages below. You may need to follow steps 3 and 4 in the 'Additional steps you may need to follow' section above to force CC4 to check in and download the latest set of approvals. 

Windows 10 Builds 1511 and 1607 

We have released packaged versions of the update for both Windows 10 v1511 and v1607 computers and we strongly recommend you deploy the relevant package to all Windows 10 v1511 and v1607 computers. Details on these packages below:

 Package  OS build version  DWN article  Status
Windows 10 Version 1511 Cumulative Update KB4019473 64-bit *  Windows 10 Build 1511  DWN5696045 Released 
Windows 10 v1607 Cumulative Update KB4015217 64-bit *  Windows 10 Build 1607  DWN5696074 Released 

* Both of these packages require an immediate reboot of computers. If no-one is logged on to the computers, they will reboot immediately once the package has completed its install. If a user is logged on to a computer, it will be rebooted as soon as they log off. Note: The package will install in the background and takes approximately 30 minutes to install. Once rebooted you will notice a delay of 10 minutes or so as the package completes its installation.

For more information, please refer to NWS5448877 in the Other Useful Articles section below.

Windows 10 Build 1507

If you have any Windows 10 computers at this older build version, then we recommend that you rebuild them to Windows 10 Build v1607 ASAP as they are a risk (Microsoft also effectively ended support for this version of Windows 10 on 9th May). If this is not possible, then you should:

  • Download the KB4012606 files from the Microsoft Update Catalog.
  • Follow the guidelines in TEC3809017 in the Other Useful Articles section below, to manually create a CC4 package from the downloaded MSU file.

All other supported versions of Windows
For CC4 computers, our automated patch deployment infrastructure should have installed the patches for you, but we strongly recommend you check (the KBs for Windows 7 and Windows 8.1 are listed in the table above).

We recommend spot checking computers at random to ensure they have updated correctly. The Microsoft article lists each of the KBs relevant to your operating systems.

Windows XP or Windows Server 2003
Windows XP and Windows Server 2003 are no longer supported by Microsoft or RM.

Microsoft has released an emergency patch for both, which you should deploy if you have no alternative to using these.


Action required for virtual host servers

For Hyper-V hosts, please refer to TEC5697304 (How to patch and reboot Hyper-V hosts with Windows updates) below.

For your vCenter servers, we recommend running Windows Update manually to ensure that the patches are applied (do remember to reboot immediately following this).


Action required for unmanaged computers
You may have a number of unmanaged computers, such as Cashless catering devices etc, that will need to be manually patched. You may need to contact the third party provider of these systems for advice prior to patching.

Action required for vanilla networks
You should check that MS17-010 is deployed to all Windows operating systems, as per Microsoft instructions in the link below:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

WSUS / Proxy Checks
If you have recently changed broadband provider or proxy server, then do check that WSUS on your CC4 First Server is using the correct proxy settings to go outbound. Details can be found in TEC5654499 below.

If you have been infected

Please refer to NWS5073225 in the Other Useful Articles section below for advice should you have been infected with any Ransomware.

Remember that even with the patches above applied, then other Ransomware can still spread if an end-user compromises your network. We have published some advice that you may wish to onward communicate here.


Petya Ransomware - more information

The Petya virus has been re-engineered using vulnerabilities released from the ShadowBroker's release of NSA backdoors. This virus has been around for some time (early 2016 saw a lot of infections from this virus), though no significant outbreaks appear to have occurred in UK Education establishments.

The Petya virus is ransomware that behaves differently to other, typical, ransomware as it does not encrypt files, rather it encrypts the master file table and master boot record of any hard disks attached to the system - essentially making the disk unavailable until the ransomware has been paid.

The Petya virus can now spread in the same manner as the WannaCry virus, using an exploit to attack a vulnerability in SMBv1 - this vulnerability is addressed in MS17-010 and has been given significant focus by RM to ensure as many of our customers are as patched as possible.

The virus will also attempt to spread using psexec (a remote command line tool) and WMIC (Windows Management Instrumentation Command). Not allowing users local administrator rights should assist with preventing these last two methods of attack. Using accounts with administrative rights should always be used sparingly and to only achieve the desired function - administrators should then log back in with non-admin accounts for daily functions such as reading emails. WMIC could be disabled, though some features of Windows may become unavailable and this is not a good long or even medium term solution. In CC4 environments not having local administrator rights also ensure that Software Restriction policies will run, this is designed to prevent unauthorised executables from running on the machine.

The email address that is being used by the attackers to communicate with victims regarding payment has now been suspended (wowsmith123456@posteo.net), which means if someone does pay the ransom they cannot receive the decrypting key, RM never recommends paying the ransom in ransomware infections.

General Advice:

What should you do to protect against both of these:

  • Have good working backups, ensure you have an offline backup - i.e. one that is not directly accessible by the Windows computer. Backup to the cloud or tape will mean that no virus can attack all your backups. Local backups, to staging servers, virtual environments to local or network attached disks are often targeted by ransomware viruses to maximise their chance of making profit, so ensure the 3 copies, 2 types of media and 1 off site rule is followed.
  • Ensure that MS17-010 fixes are deployed - this prevents WannaCry and Petya from spreading around a network, it will not prevent an email attachment from encrypting the single machine it is run on.
  • Ensure Antivirus definitions are up-to-date - most major vendors such as Trend, Symantec, Sophos, AVG etc all have definition updates to catch and stop the virus, this will protect the user if they open the attachment.
  • Ask users to be vigilant - never open attachments that you are not expecting, even from trusted sources. Note: Ask your users to be vigilant on the social media as well, tweets / Facebook updates and the like are increasingly used by viruses to spread as people become more suspicious of attachments.
  • Do not allow users to have local administrative rights - with modern operating systems this is simply no longer necessary and the vast majority of malware, ransomware and viruses can be blocked by the user simply not having administrative rights on the computer they are using.


Other Useful Articles

Ransomware vulnerability (NWS5073225)
How to patch and reboot Hyper-V hosts with Windows Updates (TEC5697304)
RM advice on disabling SMBv1 on networks (TEC5705399)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: Ransomware, malware attack, virus,


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page