As you may know, on May 12, hackers launched a global ransomware campaign against tens of thousands of corporate and governmental targets. The ransomware encrypts files on an infected computer and asks the computer's administrator to pay a ransom in order to regain access.
The ransomware attack is apparently spreading through a Microsoft Windows exploit called “EternalBlue,” for which Microsoft released a patch in March. That month Fortinet released an initial IPS signature to detect vulnerabilities against MS17-10. This signature specifically looks for SMB type vulnerabilities. Earlier this week, Fortinet updated their IPS signature to further enhance detection. It appears this update detects the ransomware. Today, they released an AV signature that detects and stops this attack. (Third-party testing has confirmed that Fortinet Anti-Virus and FortiSandbox are blocking the attacks.)
We strongly advise customers to take all of the following steps:
- Apply the patch published by Microsoft on all nodes of the network.
- Ensure that the Fortinet AV inspections as well as web filtering engines are turned on to prevent the malware being downloaded and to ensure that our web filtering is blocking communications back to the command and control servers.
- Disable via GPO the execution of files with extension WNCRY.
- Isolate communication to ports 137 / 138 UDP and ports 139 / 445 TCP in the networks of the organizations.
If you would like more information on how to protect your network, use the link below to register for the Fluid IT Services/Fortinet Security event on June 6, 2017 @12pm:
Please feel free to read the latest posts on this subject, published by the FortiGuard Labs team: