Prevention policies that are shipped with Cloud Workload Protection can block the WannaCry / Petya ransomware from extracting malicious executables and installing a SYSTEM service on the servers that are protected by using Cloud Workload Protection. You can achieve this by editing the out of the box policies. Files on the file system will not be encrypted and there is no dialog presented demanding payment.
Ensure that the following policies are present in the Windows Policy Groups:
The recommendation is to enable additional policy hardening to the Windows Default Policy. To do this:
For systems that are not using SMB or Windows Network File Sharing capabilities, and especially for externally facing servers, it is a best practice to reduce the network attack surface by configuring prevention policy rules to block SMB network traffic. This can be easily done by editing the Kernel and Global network rules.
The Windows OS Sandbox contains hardcoded exceptions to Global Rules for usability/stability purposes. In order to ensure that the SMB traffic is blocked in all cases, you must go through Windows OS Sandbox Inbound/Outbound Network rules to ensure that all exceptions are removed. For additional protection to what is delivered out of the box, the execution of all known variants of the WannaCry/Petya ransomware can be blocked by putting the executable hashes in the Global No-run List. To add a hash to the list: