Outbreak Date: 13 May 2017 – (Ransomware) WannaCry
I know its bit old, and (almost?) quiet (perhaps, evolving) after the “kill switch” was triggered up. But here are my compiled Security Recommendations from various Firewall Vendors on mitigating the risks and protecting your network from the threats brought about by this ransomware known as WannaCry. Yesterday, another ransomware malware circulated in Eastern Europe, called “Petya”, and has similarities with WannaCry.
Below are the Security Recommendations published by Fortinet, Cisco Meraki, Sonicwall and Microsoft Windows.
Fortigate – enable IPS/AV/UTM Features, Update IPS Signatures, apply to policies as necessary. Isolate TCP 445, 139 and UDP 135, 139 from external access
Fortigate – Update IPS Signatures and Block Outbound TOR (and apply IPS on the inbound policy as necessary)
Meraki – Ruleset databases are automatically updated. However, make sure Meraki MX’s IPS/IDS are enabled and has Ruleset set to Balanced or Security. Isolate TCP 445, 139 and UDP 135, 139 from external access.
Sonicwall – Make sure the client has an active subscription/licesnse for Gateway Security service to receive real-time protection and update. This service includes IPS and Botnet Filtering among other security suites that comes with it.As long as it is enabled, it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering). The Content Filtering Service also block communication with malicious URLs and domains. Isolate TCP 445, 139 and UDP 135, 139 from external access
Recommended for best practice: deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted.
Check if it has the latest IPS and AV Signatures:
Sonicwall – Block TOR under App Control
Windows – Emergency security patch for older Windows OS (WinXp, 2008)
Information about TOR, Bitcoins and Deep Web –> http://searchsecurity.techtarget.com/feature/Tor-networks-Stop-employees-from-touring-the-deep-Web