On May 12, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named WannaCry (also known as WCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor, and so on). These attacks are targeting and impacting users from various countries across the globe. For more information about WannaCry, visit Symantec's WannaCry Outbreak page.
The Windows systems listed here are vulnerable to the current WannaCry attack.
You must immediately install the Windows security update MS17-010 on all vulnerable Windows systems. This update patches the SMB vulnerability that enables WannaCry to infect and propagate.
For unpatched Windows systems, the Symantec Embedded Security: Critical System Protection (SES:CSP) 7.0.0, 6.5.0, and 1.0.0 Windows IPS policies detect and block WannaCry ransomware attacks. All three levels of SES:CSP Windows policy strategy—Basic, Hardening and Whitelisting—prevent the attack which installs the WannaCry malicious executables.
SES:CSP Windows IPS policies prevent WannaCry malware from being dropped or executed on the windows system, and can also block inbound SMB traffic. Customers not taking advantage of full IPS protections can apply a targeted IPS policy to block the execution of the WannaCry malware.
If you have Windows systems which do not use the SMB or Windows Network File Sharing capabilities (especially, Windows systems which are connected to the internet), it strongly recommended to reduce the network attack surface by configuring prevention policy rules to block the SMB network traffic. This can be easily done by editing the Kernel and Global network rules as follows:
Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
For additional protection to what is delivered out-of-the-box, the execution of all known variants of the WannaCry ransomware can be blocked by putting the executable hashes in the Global No-run List. To add a hash to the list: