WannaCry Ransomware Vulnerability
- Article Number: 000012832
- Products: All
- Last Published Date: Fri May 19 17:36:49 GMT 2017
Published Date: May 17, 2017
Last Update: June 21, 2017
KBA Status: Final
KBA Severity: High
The Forcepoint Product Security Incident Response Team (PSIRT) has been monitoring the recent reports related to the WannaCry (also known as WannaCrypt, WannaCrypt0r 2.0, WannaCry, Wanna Decryptor, or Wcry) vulnerability and investigating its potential effect on Forcepoint products. This article will be updated as additional information becomes available.
WannaCry is an encryption-based ransomware attack, which started spreading globally on May 12, 2017. The malware encrypts files on affected systems using AES and RSA encryption ciphers, allowing hackers to decrypt system files using a unique decryption key. WannaCry changes the computer's wallpaper with messages, asking victims to download the decryptor from Dropbox and demanding hundreds in bitcoins to get their files back.
The malware is spread via SMB or the Server Message Block protocol typically used by Windows machines to communicate with file systems over a network. An infected machine would then propagate the infection to other at-risk boxes.
The PSIRT has been working with the Forcepoint Engineering escalation teams to better understand if our products could be affected by installing the Microsoft MS17-010 Windows patch or disabling SMBv1, given the SMB protocol is used by a number of processes (e.g., Content Gateway proxy authentication).
We have determined that:
To ensure the continued normal operation of your Forcepoint solution, you should apply the Microsoft MS17-010 Windows patch.
KBA Detailed Information
For additional details, see the Forcepoint Security Labs blog about this vulnerability.
Hotfix and Information About Other Fixes