Returning to campus: Information, updates and vaccination requirements. Learn more.

Windows WannaCry Ransomware Security Advisory

Threat Level: High
Threat Type: Ransomware
Advisory Date: 07/04/2019

Description

While the University of Regina has not been impacted yet, be aware that the risk is high.

It is belived that emails with this ransomware may have subject lines such as:
– Copy_[with Random Numbers],
– Document_[with Random Numbers], Scan_[with Random Numbers],
– File_[with Random Numbers]
– PDF_[with Random Numbers]
This is not an exhaustive list. Please be extra cautious and do not open any emails that seem suspicious or unfamiliar no matter what the subject line is.

Impacted users will see a screen similar to the following:

Wannacry Ransomware Example

Impact

Once a single computer in is infected by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks.  University of Regina managed computers should have received this patch automatically.

The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. This is why WannaCry campaign is spreading at an astonishing pace.

Impacted platforms:
– Windows XP, Windows 2003 (see https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
– Windows Vista with Service Pack 2 x86 KB4012598
– Windows Vista with Service Pack 2 x64 KB4012598
– Windows Server 2008 with Service Pack 2 x86 KB4012598
– Windows Server 2008 with Service Pack 2 x64 KB401259
– Windows 7 with Service Pack 1 x86 KB4012212 or KB4012215
– Windows 7 with Service Pack 1 x64 KB4012212 or KB4012215
– Windows Server 2008 R2 with Service Pack 1 KB4012212 or KB4012215
– Windows 8.1 x86 KB4012213 or KB4012216
– Windows 8.1 x64 KB4012213 or KB4012216
– Windows Server 2012 KB4012214 or KB4012217
– Windows Server 2012 R2 KB4012213 or KB4012216
– Windows 10 x86 KB4012606
– Windows 10 x64 KB4012606
– Windows 10 version 1511 x86 KB4013198
– Windows 10 version 1511 x64 KB4013198
– Windows 10 version 1607 x86 KB4013429
– Windows 10 version 1607 x64 KB4013429
– Windows Server 2016 KB4013429

Resolution

If patches are not available for a system and it cannot be protected via alternative controls, such as anti-malware, then it is recommended that SMB ports (139, 445) be blocked for the system until such time as it can be patched or additional controls applied to protect against infection.

If you are impacted, contact the IT Support Centre.

Resources

External Resources:

Customer Guidance for WannaCrypt attacks (Microsoft Patches for Windows XP/2003)

What you need to know about the WannaCry Ransomware? (Symantec Security) 

Massive ransomware infection hits computers in 99 countries (BBC)

Ransomware Scam (Canadian Anti-Fraud Centre)

Massive Wave of Ransomware Ongoing (ISC)

Ransomware Hits (Malwarebytes)

Internal Resources:

See the Malware Resources page.

Please contact the IT Support Centre if you require assistance:

In person at ED 137 or Archer Library Main Floor Commons

In person at ED 137 or Archer Library Main Floor Commons