grandeduc - Fotolia

WannaCry ransomware prompts legacy MS17-010 patch

Microsoft responds to WannaCry ransomware with an MS17-010 patch for legacy systems as new ransomware variants spread to more countries around the globe.

WannaCry ransomware exploded over the weekend and spread like a worm to infect more than 200,000 systems across 150 countries around the world, according to Europol. In response, Microsoft took the emergency step to release patches for no longer supported versions of Windows.

The WannaCry ransomware -- also known as Wanna Decryptor, WannaCrypt and WannaCryptor -- emerged on Friday and is based on the EternalBlue exploit of Windows Server Message Block (SMB) v1 found in a recent dump of NSA cyberweapons. Microsoft had released a patch for supported systems in the March 2017 Patch Tuesday updates with bulletin MS17-010.

However, the WannaCry infections spread fast among legacy systems, especially in healthcare organizations, and prompted Microsoft to take "the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8 and Windows Server 2003," according to a blog post from Friday.

Most experts, like Sanjay Raja, CMO at Lumeta, a cybersecurity company headquartered in Somerset, N.J., praised Microsoft for releasing MS17-010 patches for unsupported systems but said it may not help with unmanaged systems.

"This does not change a fundamental blind spot issue where we have found that in every organization we touch, on average, they are not managing or monitoring over 20% of their network and endpoint infrastructure," Raja told SearchSecurity. "This is due to these devices and networks being unknown, rogue, part of a shadow IT set up, recruited or even created -- as in VMs -- by malicious actors for purposes of obscuring data exfiltration. Regardless of the cause, they are unmanaged, unpatched and certainly unprotected in most cases even if using more current operating systems."

Jeremiah Grossman, director of security at SentinelOne, a cybersecurity company based in Palo Alto, Calif., said the legacy systems patches from Microsoft should "make a huge difference" in mitigating the WannaCry ransomware threat

"Microsoft did us all a great service. Not only did they release an update when they technically didn't have to, and in record time, but apparently had the patch already developed and were well-prepared -- just in case something like this were to happen," Grossman told SearchSecurity. "Some organizations, for a variety of business and technical reasons are locked into using XP. So, now, having the option to patch in addition to disabling SMBv1 gives them much-needed options to protect themselves, which also gives them time to develop a more longer-term transition place."

Kasper Lindgaard, senior director of research and security at Flexera Software, a software licensing and compliance company based in Itasca, Ill., said Microsoft might actually be doing a disservice to its customers.

"If we look specifically at the current situation only, then Microsoft providing a patch is a good thing for those still running end-of-life versions of Windows," Lindgaard told SearchSecurity. "However, if we look at the bigger picture, then I believe that Microsoft is doing a disservice to customers, as it is now less likely that those remaining on these obsolete versions will actually upgrade. They can easily be thinking now, that Microsoft will bail them out if the situation is grave enough."

Infection path of the WannaCry ransomware worm.
Infection path of the WannaCry ransomware worm.

Other WannaCry ransomware mitigations

Patching systems against the SMBv1 vulnerability is not the only way to mitigate the threat of WannaCry and security researchers have been doing their part to stop the infections. U.K. researcher MalwareTech analyzed the ransomware and found the command and control (C&C) domain was hardcoded in the malware, and took the standard approach of registering the domain. Doing so broke the C&C connection, acting like a "kill-switch" for the WannaCry ransomware. 

Matt Suiche, Microsoft MVP and founder of Comae Technologies, a cybersecurity company based in the United Arab Emirates, found a WannaCry ransomware variant using a different domain that he was able to register in order to slow the infection.

However, Suiche noted that registering a domain as a kill switch is only a temporary measure, as the actors behind the ransomware could change the domain, and there are also variants of the WannaCry malware surfacing that don't have hardcoded C&C domains.

Experts also suggested following the advice of US-CERT from January and disabling SMBv1 when possible to stop the WannaCry ransomware spread, as well as blocking port 445.

Brian Vecci, technical evangelist at Varonis, a data security software company based in New York, said "if there is a patch available, you should patch it."

"System exploits will always be an issue and admins need to defend in depth -- patching is one defense, but not the only one," Vecci told SearchSecurity. "Disabling SMBv1 and blocking relevant ports are a tactical defense to this attack. Basic security procedures like patching and turning off legacy protocols would have gone a long way in preventing the damage from this attack."

Duncan McAlynn, principal engineer and security evangelist at Ivanti, an IT automation and integration company based in Salt Lake City, said disabling SMBv1 would be the "most obvious approach."

"However, it goes well beyond just a registry modification. Organizations that are serious about infosec will also have other measures in place to help thwart such malicious attacks," McAlynn told SearchSecurity. "This type of defense-in-depth approach will include solutions such as application whitelisting, device control, next generation firewalls and post-breach threat detection."

Dana Simberkoff, chief compliance and risk officer at AvePoint, a cloud security company based in Jersey City, N.J., said the best security measure against attacks like the WannaCry ransomware may be "continuous and ongoing education of employees."

"This education cannot be a once a year training course, but rather it must be pervasive throughout the culture of your organization. Because in the absence of security education or experience, people naturally make poor security decisions with technology," Simberkoff told SearchSecurity. "This means that systems need to be easy to use securely and difficult to use insecurely. Your security and data protection education program should include information about the importance of patching your operating systems and the direct tie of unpatched systems to vulnerabilities."

Next Steps

Learn more about using a VM firewall as part of a defense-in-depth strategy.

Find out how object storage can help with ransomware protection.

Get info on how to boost your ransomware security awareness.

Dig Deeper on Threats and vulnerabilities