:::: MENU ::::
Browsing posts in: SCCM Software Updates (Patching)

Some information about Ransomware & WannaCry Ransomware

 

What is Ransomware?

————————

Ransomware is a malicious software that encrypts the files and locks device, such a

a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a

dangerous ransomware named ‘Wannacry’ has been affecting the computers worldwide

creating the biggest ransomware attack the world has ever seen.

 

What is WannaCry Ransomware?

——————————-

WannaCry ransomware attacks windows based machines. It also goes by the name

WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.It leverages SMB exploit in

Windows machines called EternalBlue to attack and inject the malware. All versions of

windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010.

After a system is affected, it encrypts the files and shows a pop up with a countdown and

instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If

the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the

user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

What can you do to prevent infection?

—————————————-

 Microsoft has released a Windows security patch MS17-010 for Winodws machines.

This needs to be applied immediately and urgently.

 Remove Windows NT4, Windows 2000 and Windows XP-2003 from production

environments.

 Block ports 139, 445 and 3389 in firewall.

 Avoid clicking on links or opening attachments or emails from people you don’t

know or companies you don’t do business with.

 SMB is enabled by default on Windows. Disable smb service on the machine by

going to Settings > uncheck the settings > OK

 Make sure your software is up-to-date.

 Have a pop-up blocker running on your web browser.

 Regularly backup your files.

 Install a good antivirus and a good antiransomware product for better security.

File Names:

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @WanaDecryptor@.exe.lnk
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • 131181494299235.bat
  • 176641494574290.bat
  • 217201494590800.bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • 00000000.pky
  • 00000000.eky
  • 00000000.res
  • C:\WINDOWS\system32\taskdl.exe

Clean Up of Updates (Patches) which are superseded by New Bulletin IDs

Microsoft releases Patches every month on Second Tuesday, some of this patches will supersede the previous updates which can be deleted from System Center Configuration Manager 2007 Deployment. This will help in keeping the Patch Package size small which in turn will take less time to get replication to the Distribution Points (DPs) and save the Space on all Servers.

Following steps are to be followed for cleaning up this updates

Steps I: Delete the Updates from the Deployment

In the Deployment, check for the grayed out updates and see if they are superseded by any new released  Updates (Patches with Bulletin IDs like MS08-072 is superseding MS08-008)

Note :  Updates superseded by Service Packs Should not be deleted unless if the Services Pack is installed on all the machines present in the Environment.

Navigate to the Deployment Management in CM07 Console.

Ex: 2008 BaseLine Security Updates Part 1

Open System Center Configuration Manager 2007 Console à Computer Management à Software Updates à Deployment Management à

Select the Bulletin IDs to delete as per the criteria described above .

Multiple Bulleting IDs can be deleted at a time by holding CTRL key

Note: Please make a Note of Number of Updates are selected for deleting

01

02

03

 

Steps 2: Delete the above Updates from Deployment Package

Note Down the size of the package before starting the following process

Example: 2008 BaseLine Security Updates Part 1

Navigate to Deployment packages Expand  Package “2008 2008 BaseLine Security Updates Part 1 software Updates à Select the Bulletin IDs to delete in the Right Pane.

Note: No of updates to be deleted should be same as deleted in the Deployment.

Right Click on the Select items à Delete

 

04

 

Click  OK on the Pop Up for Refreshing the Package

05

 

Click OK on the Confirmation PopUP that this updates are also part of Deployment as we have already deleted them from Deployment in the Step 1

06

Note down the Size of the Package which will be less than the previous size.

Monitor the DP Replication and see if the all the DPs are updated with the above changes