Wanna-Cry

Effectivley deal with Wanna-Cry ransomware across your entire environment with ease. Contains both preventative and maintenance counter measures to deploy in real-time.

Scenario

A Product Pack containing several questions and actions for identification and removal of the Wanna Cry 2.0 ransomware attack which broke out on May 12th 2017.

Product Pack Notes

This is the content of the WannCry 2.0 Product Pack:

Identify WannaCry 2.0: Lists devices infected with by WannaCry2.0 Ransomware

Search for known WannaCry2.0 indicators of compromise (IOC). Checks the Activity Report for forensic historic data relating to DNS lookups, Service information, processes and registry entries. Provides a likelihood rating from Low to High for potentially compromised devices.

Prevent WannaCry 2.0: Disable SMBv1

(requires restart to take affect)
Sets the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 value to 0

Prevent WannaCry 2.0: Restart computer immediately after disabling SMB v1 or installing relevant patches

This action will restart the computer down without warning. This should only be used on computers that need to be restarted immediately.

Risk Assessment for WannaCry 2.0: Provide patching data relevant to the WannaCry2 ransomware

Checks if patches which prevent WannaCry 2.0 exploit have been deployed and if devices require reboot or not.

Checks for:

KB4012598, KB4012212, KB4012215, KB4015549, KB4019264, KB4012214, KB4012217, KB4015551, KB4019216, KB4012213, KB4012216, KB4015550, KB4019215, KB4012606, KB4016637, KB4015221, KB4019474, KB4013198, KB4016636, KB4015219, KB4019473, KB4013429, KB4015438, KB4016635, KB4015217, KB4019472, KB4018466, KB4019217, KB4019265, KB4019218, KB4022719, KB4022724, KB4022726, KB4023680, KB4022715, KB4022714, KB4022720, KB4032693, KB4022723, KB4022168, KB4022721, KB4025341, KB4025331, KB4025336, KB4022727, KB4032695, KB4025338, KB4022714, KB4025344, KB4025339, KB4015217, KB4023680, KB4022726, KB4022719, KB4025341, KB4025331, KB4032693, KB4025344

Risk Assessment for WannaCry 2.0: Provides information on SMBv1 status and device reboot statusĀ  WannaCry2 leverages SMB1 to propogate

This instruction will highlight potentially vulnerable devices. It will show the status of the SMBv1 and show if a reboot is required

You must log in to submit a review.Click here to login.

Details

Author

1E Product Pack Creator

Published

Downloads

25

Categories

,

Compatible Versions