On Friday, 12 May 2017, a large cyber-attack was launched dubbed as WannaCry, a ransomware program targeting the Microsoft Windows operating system. The ransomware infected numerous computers, demanding ransom payments in the cryptocurrency Bitcoin in 28 languages. Fortinet has come out to inform its customers that they had the situation under control.
“As you may know, on May 12, hackers launched a global ransomware campaign against tens of thousands of corporate and governmental targets. The ransomware encrypts files on an infected computer and asks the computer’s administrator to pay a ransom in order to regain access,” said Imran Chaudhrey, Regional Account Manager, Fortinet -East Africa, in a press statement.
“The ransomware attack is apparently spreading through a Microsoft Windows exploit called ‘EternalBlue,’ for which Microsoft released a patch in March. That month Fortinet released an initial IPS signature to detect vulnerabilities against MS17-10,” he added.
Per the statement, the signature specifically looked for SMB type vulnerabilities. Chaudhrey went on to inform that a recent update by Fortinet played a part in stopping the now infamous ransomware attack.
“Earlier this week, Fortinet updated our IPS signature to further enhance detection. It appears this update detects the ransomware. Today, we released an AV signature that detects and stops this attack,” he continued.
Chaudhrey further explained, “Third-party testing has confirmed that Fortinet Anti-Virus and FortiSandbox are blocking the attacks.”
Fortinet further stated that it strongly advises customers to take all of the following steps:
Apply the patch published by Microsoft on all nodes of the network.
Ensure that the Fortinet AV inspections as well as web filtering engines are turned on to prevent the malware being downloaded and to ensure that our web filtering is blocking communications back to the command and control servers.
Disable via GPO the execution of files with extension WNCRY.
Isolate communication to ports 137 / 138 UDP and ports 139 / 445 TCP in the networks of the organizations.