How are you all handling the malware ambush

egrizzly

at work we had to stay overtime for two hours to deal with the massive malware that broke out on Friday (March 16). Our company has a lot of remote users who had to call in and wait on hold forever to be patched.

was there a working auto-patch deployment that you all implemented for remote user.

Mike7

Some suggestions and random thoughts.

In a previous engagement, we had users who for various reasons ignore Windows's notification to reboot PC for security updates; they either never logoff or just put laptop to sleep or hibernate mode. Some of them require local administrator access due to nature of their work. We had laptops that were almost a year behind for security patches. We ended up using group policy to enforce automatic updates and force their PCs to reboot after applying.

Wannacry uses a Mutex. If you create the mutex say via PowerShell, it will not encrypt. Some tools have been released that does this, e.g. https://www.renditioninfosec.com/2017/05/wanacry-because-your-organization-is-slow-to-patch-stop-the-tears-with-tearst0pper/ and https://www.minerva-labs.com/post/immune-yourself-from-wannacry-ransomware-with-minervas-free-vaccinator


You can disable SMB1 to prevent worm from infecting those that are not patched. In my previous job, we disabled SMB 1 for all our production servers as a preventive measure. Windows Vista/Server 2008 and higher supports SMB2. If you have Linux boxes, SAMBA 3.6 and higher supports SMB2. And that was in 2015. Even Microsoft gave the same advice in 2016.

Usual disclaimer applies: The above are suggestions; you need to test and I am not responsible.

sillymcnasty

Had to stay 2 hours to patch a few machines. bcrypt.dll was the thing we had to make sure was updated.

Cisco Inferno

emergency patching of about 2000 servers.

Thank god I didnt have to

PC509

For WannaCry/WannaCrypt, just some late night patching/rebooting of servers that weren't auto-reboot or needed a last minute patch. SCCM pushed all the other updates out to clients and forced auto-reboot. So, we were good there. Others that are rarely connected to the network were set up and updated.

Not a bit deal. Nothing was infected. But, we are safe.

We did get a few hits on the DocuSign thing, though... Still working on that.

kuen332211

the following is a video made by me to share how i handle the problem

https://youtu.be/xc2HCUnlITg

blatini

kuen332211 wrote: »

the following is a video made by me to share how i handle the problem

https://youtu.be/xc2HCUnlITg

People pointed out in the other thread but you probably don't want to click this.

merc.man87

Disabled SMBv1, lots of patching, temporary suspension of VPN for remote users.

TechGromit

Not aware of any issues where I work, they are pretty much on top of patching and when you connect via VPN, it forces your laptop to take patches without even asking you. At work we can usually delay the patching for a few hours if were in the middle of something, but remote users don't have that option. Even the servers are up to date if a computer's OS can't be upgraded for some reason, it's not allowed on the network.