The following platforms are known to be affected:
|7 Aug 2018||
New ransomware has been observed that calls itself 'WannaCryV2.' At the time of publication there is no evidence of a link between this ransomware and WannaCry.
Ensure that the two kill switch domains are not blocked by firewalls because they stop some variants of the malware from running:
Organisations who have disconnected from the internet or who maintain a proxy server are recommended to implement a local webserver which resolves via local DNS servers (or via configuration of local host files) to the kill switch domains. This will limit the spread of WannaCry and Uiwix Ransomware.
Ensure all systems are protected with the latest AV definitions
SMB Vulnerability Remediation
Note: Remediating the vulnerability does not remove an existing infection - any infected system may require quarantining, rebuilding to patched standard and redeploying.
Advice to NHS staff
NHS Staff are advised to ensure their home computers have Windows automatic updates enabled and AV software installed which is automatically updated with the latest definitions. This will help protect their personal computers and the wider internet community at large.
If RDP is not used then ensure:
If RDP is used:
For full ransomware remediation please see the Best Practice Guide Ransomware - Controls to avoid infection.
It is not recommended to pay any ransom; there is no guarantee that paying a ransom will unlock the encrypted files or that the integrity of the files will be maintained. It could additionally increase the likelihood of your organisation being targeted in future campaigns.
Responding to an Outbreak
This section is designed to help organisations respond to an outbreak and consists of two section (1) Containment and Eradication and (2) Recovery.
1) Containment and Eradication
Because the malware is able to self-propagate to vulnerable local and remote computers the following containment and Eradication activities should be performed. These actions can be broken down into a number of work streams which can be performed across different teams:
Stream 1 - Identify and quarantine all systems infected with the malware.
By using Windows File Server Resource Manager FSRM (or the equivalent for your file storage servers or SAN's operating system) you can identify IOC files as they’re written and capture the name of the logged in user and computer the IOC file was written by. Immediately quarantine all newly identified infected computers
Stream 2 – Patch the vulnerability that enables malware to propagate throughout a network.
Stream 3 – Ensure all systems are updated with the latest AV (Anti-Virus) definitions
Stream 4 - Implement additional technical controls to prevent the malware from propagating
Cleaning quarantined machines
Scenario 1 - For machines where the initial infection is present but are not cryptolocked (i.e. where the malware has successfully connected to a kill switch domain and now remains in a dormant state).
Anti-Virus software with the latest malware signatures installed may be able to detect and remove the virus before further damage can be caused.
Scenario 2 - For cryptolocked machines
Fully reimage/rebuild to patch standard (including MS17-010) , protect with the latest AV definitions and redeploy.
Further information see the Best Practice Guide: Ransomware - Preparing for an Outbreak
Last edited: 17 February 2020 11:41 am