Protecting Industrial Control Systems from WannaCry Ransomware
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware targeting Microsoft Windows operating system. On Friday May 12, 2017 a widespread attack using this ransomware was launched affecting IT organizations worldwide. The ransomware encrypts files changing the extensions to: .wnry, .wcry, .wncry and .wncrypt. The malware then presents a window to the user with a ransom demand.
Earlier this year on March 14, 2017 Microsoft released security bulletin Microsoft Security Bulletin MS17-010 to protect against attacks these vulnerabilities (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146 and CVE-2017-0147). This update covered all currently supported Microsoft Operating Systems including Windows 2008 Service Pack 2, Windows Service Pack 1 and Windows 2012 R2. Furthermore, on May 12, 2017 Microsoft released security updates for all custom supported Windows platforms in custom support including Windows XP, Windows 8, and Windows Server 2003.
As repercussions of this cyberattack continue to play out across the globe, we’ve learnt that organizations who stayed on top of their routine patch tasks have fared better than those who’ve let this slip or those who have invested in other defensive security solutions thinking it obviates the need to perform basic security hygiene. Staying current with patches is a first blocking and tackling defense for any IT organization. This was true a decade ago when cyberattacks were far fewer and continues to be true in today’s hyper-active security landscape.
When a high profile attack such as this unfolds you want to be able to assess your exposure to risk as quickly as you can. Monitoring your environment for configuration changes and network changes is one way you can respond to panicky questions from your managers to let them know the extent of your organization’s risk.
Industrial Defender ASM is a configuration and event monitoring solution for ICS environments. Customers monitoring their environment with the ASM solution use the Policy application to check if the Windows workstations and servers in their environment are patched/not patched for the WannyCry vulnerability.
Watch a quick demo on our policy management application.
For our Current Customers
The Leidos team has posted ASM Policies for our customers to check their Windows 2008, 7, 2012 and 2012 R2 systems are appropriately patched and that the XP, 2003, Vista patches that were released by Microsoft on May 14 2017 have been applied.
Steps to Import ASM Policies
There are three ASM Policies on our Support Site, one each for a family of MS Operating Systems.
- Windows 7 and Windows 2008 R2 Versions
- Windows 2012 R2 and Windows 8.1 Versions
- Windows XP, Windows Server 2003 and Windows 8 Versions
These policies can be imported into any ASM 6.2.x or 6.3.x versions. Once imported they will have to be associated with appropriate Asset Groups and executed either in the UI or as a Policy vs Actual Report.
1) Import Policies into ASM: Import Leidos distributed policies that are pre-loaded with the patch numbers that fix the SMB-based vulnerability.
Policies Imported from Files
2) Execute Policies Associate imported policies to existing or new asset groups and execute one or policies In Policy Group.
Assets Matched to WannaCry Policies
3) View Policy Status View information on assets that meet the SMB vulnerability patch criteria and those that don’t along with asset OS configuration information.
Assets Matched to WannaCry Policies