UAE : +971 4 3517443, TR : +90 850 283 1857 Contact Us
WanaCrypt-TrendMicro Başarı

WanaCrypt-TrendMicro Başarı

 

Updates on the latest WCRY (WannaCry) Ransomware Attack and Trend Micro Protection

    • Updated:
    • 16 May 2017
    • Product/Version:
    • Deep Discovery Analyzer All.All
    • Platform:
    • Windows 10
SUMMARY
Updated: May 16, 2017 @ 4:45AM GMT
 
Please note that this article is targeted towards enterprise administrators and business users. Additional Consumer- and Home/Home Office-specific information can be found here.
Trend Micro is aware of and has been closely monitoring the latest ransomware outbreak that has affected several organizations around the world – which is being commonly referred to as WCRY or WannaCry. Based on our initial analysis of this ransomware – it appears to be taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “Eternalblue”) associated with the Shadow Brokers tools release. Below are additional technical information on the known variants and components of this ransomware attack:
DETAILS

Trend Micro Products and Protection

First and foremost, since this attack appears to exploit a known Microsoft vulnerability – customers may want to consider disabling SMB (v1) in their environments if possible – either via GPO or using instructions provided by Microsoft. In addition, customers are strongly encouraged to ensure that they have all of the latest patches applied to their operating systems – especially the ones related to MS17-010. For protection, Trend Micro recommends a layered security approach of endpoint, email, server, gateway and network security to ensure that all potential entry and compromise points have protection and has some solutions that already provide some level of protection against these new threats:
  • Updated Configuration and Next Generation Technology – Trend Micro customers using the latest versions of OfficeScan and Worry-Free Business Security should ensure that they have both Predictive Machine Learning (OfficeScan XG, Worry-Free Services) and all relevant Ransomware protection features enabled in their product. The following article contains information on optimal configurations to help protect against ransomware: https://success.trendmicro.com/solution/1112223
  • Smart Scan Agent Pattern and Official Pattern Release: Trend Micro has added known variant and component detections into the following patterns for all products that utilizes these patterns:
    • Smart Scan Agent Pattern – 13.401.00
    • Official Pattern Release (conventional) – 13.401.00
     
    Please note that these patterns are the minimum recommended ones that contain protection for this threat — however, due to new components and variants being discovered it is important that customers ALWAYS obtain the latest pattern files to ensure up-to-date protection.
  • Trend Micro Web Reputation Services (WRS) has added coverage for known Command and Control (C&C) servers.
  • Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest rules have an updated layer of protection for multiple Windows operating systems, including some that have reached end-of-support (XP, 2000, 2003). Specifically, Trend Micro released the following rule for proactive protection:
    • IPS Rules 1008224, 1008228, 1008225, 1008227 – Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities
  • Trend Micro Deep Discovery Inspector customers with the latest rules also have an additional layer of protection against the vulnerabilities associated with the exploit. Specifically, Trend Micro has released the following official rule for proactive protection:
    • DDI Rule 2383: CVE-2017-0144 – Remote Code Execution – SMB (Request)
  • Trend Micro TippingPoint customers with the following filters have updated protection:
    • Filters 5614, 27433, 27711, 27935, 27928 – Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities and attacks
    • ThreatDV Filter 30623 – helps to mitigate outbound C2 communication
    • Policy Filter 11403 – provides additional protection against suspicious SMB fragmentation
  • Trend Micro Endpoint Application Control (EAC) administrators utilizing the product’s “Lockdown” mode – which allows only pre-specified applications to run – also provides protection against this threat.
  • Trend Micro Cloud Edge customers have protection with the following rules:
    • Rule 1133615: SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0145 Buffer Overflow (CVE-2017-0145)
    • Rule 1133635: SMB Microsoft MS17-010 SMB Remote Code Execution -1
    • Rule 1133636: SMB Microsoft MS17-010 SMB Remote Code Execution -2
    • Rule 1133637: SMB Microsoft MS17-010 SMB Remote Code Execution -3
    • Rule 1133638: SMB Microsoft MS17-010 SMB Remote Code Execution -4
  • Trend Micro Home Network Security customers with the latest rules also have protection:
    • Rule 1133635: SMB Microsoft MS17-010 SMB Remote Code Execution -1
    • Rule 1133636: SMB Microsoft MS17-010 SMB Remote Code Execution -2
Trend Micro always highly recommends that vendor critical patches are applied as soon as possible upon release. Customers and partners who may need some additional information or have questions are encouraged to contact their authorized Trend Micro technical support representative for further assistance.

Additional Tools

Trend Micro also has some standalone tools available for assessing and addressing potential WCRY risk and infections on end-user machines. Please note these tools are provided as-is without warranties of any kind. They are meant to assist customers in emergency troubleshooting, and are not guaranteed to be error-free. Please click here for further terms and conditions on Trend Micro tools.
 
Please note these tools are provided as-is, without warranties of any kind. They are meant to assist customers in emergency troubleshooting, and are not guaranteed to be error-free. Please click here for further information about the terms and conditions on Trend Micro tools.
Customers who have any questions or issues using the tools provided below should contact Trend Micro technical support for additional assistance.
  • Trend Micro Anti-Threat Toolkit (ATTK): users having issues with their endpoint protection may try downloading ATTK to scan a potentially compromised machine for malware (including WCRY). There are both online and offline versions available. Please visit this article for additional instructions on how to use ATTK.
  • Trend Micro WCRY Simple Patch Validation Tool: this simple tool performs two functions – (1) checks a local machine to see if Microsoft’s MS17-010 patch has been successfully applied; and (2) offers to and allows the user to easily disable SMB v1 on the local machine via registry key. It is designed as a quick tool for users that may not have other easy means to validate the system patch or disable SMB v1. (SHA-256: 6f8e6dd35155f68f0c20acf214e2d3523bde25cb65ed922832d76542107bad24)

Leave a Reply