How can we stop Ransom:Win32/WannaCrypt malware spread? RRS feed

  • Question

  • Hi, Guys.

    How can we stop Ransom:Win32/WannaCrypt malware spread? As you know, this malware has worm functionality which attempts to infect unpatched outdated Windows machines. 

    Yes, there are good AVs which can detect and quarantine this threat. If we receive multiple ransomware detections reported by our AV, how can we track down instead the infected system which spreads the malware to other vulnerable computers? Assuming this infected system was not detected by our AV for some reason (i.e. AV was not installed)

    I can see an article states that the threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system.

    How can we track endpoints also that has this mssecsvc2.0 service running on them via powershell script? Thank you

    Tuesday, January 8, 2019 4:22 AM

All replies

  • Patch. That's the first thing.  And if you can't patch you isolate the unpatched system. Then ensure you can disable SMBv1.  As far as determining "endpoints" do you mean workstations or servers?  I'm not following the question?
    Tuesday, February 5, 2019 2:12 AM
  • 1. determine the service name - it may change if the bad guys change the name.

    2. determine if the workstation or server supports powershell.   if they are unpatched and out of date it may not.

    3. https://stackoverflow.com/questions/35064964/powershell-script-to-check-if-service-is-started-if-not-then-start-it  Obviously you don't want to start it, but honestly by the time ransomware has installed this, the game is already over and it's too late to detect.  You'll know when your files are encrypted.

    Tuesday, February 5, 2019 2:15 AM