#WCry Wannacry Security Recommendations

Outbreak Date: 13 May 2017 – (Ransomware) WannaCry

I know its bit old, and (almost?) quiet (perhaps, evolving) after the “kill switch” was triggered up. But here are my compiled Security Recommendations from various Firewall Vendors on mitigating the risks and protecting your network from the threats brought about by this ransomware known as WannaCry.  Yesterday, another ransomware malware circulated in Eastern Europe, called “Petya”, and has similarities with WannaCry.

Below are the Security Recommendations published by Fortinet, Cisco Meraki, Sonicwall and Microsoft Windows.

Fortigate – enable IPS/AV/UTM Features, Update IPS Signatures, apply to policies as necessary. Isolate TCP 445, 139 and UDP 135, 139 from external access

http://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware

Fortigate – Update IPS Signatures and Block Outbound TOR (and apply IPS on the inbound policy as necessary)

http://blog.fortinet.com/2017/05/15/wannacry-ransomware

Meraki – Ruleset databases are automatically updated. However, make sure Meraki MX’s IPS/IDS are enabled and has Ruleset set to Balanced or Security. Isolate TCP 445, 139 and UDP 135, 139 from external access.

https://meraki.cisco.com/blog/2017/05/protecting-our-customers/

Sonicwall – Make sure the client has an active subscription/licesnse for Gateway Security service to receive real-time protection and update. This service includes IPS and Botnet Filtering among other security suites that comes with it.As long as it is enabled, it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering). The Content Filtering Service also block communication with malicious URLs and domains. Isolate TCP 445, 139 and UDP 135, 139 from external access

Recommended for best practice: deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted.

Check if it has the latest IPS and AV Signatures:

WannaCrypt Signatures

https://blog.sonicwall.com/2017/05/sonicwall-protects-customers-latest-massive-wannacry-ransomware-attack/

Sonicwall – Block TOR under App Control

https://support.sonicwall.com/kb/sw12012

Windows – Emergency security patch for older Windows OS (WinXp, 2008)

http://thehackernews.com/2017/05/wannacry-ransomware-windows.html

 

Information about TOR, Bitcoins and Deep Web –> http://searchsecurity.techtarget.com/feature/Tor-networks-Stop-employees-from-touring-the-deep-Web

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s