Tuesday, May 23, 2017

WannaCry and EternalRocks Ransomware - Are you safe?

Last week “WannaCry” made headlines worldwide, and this week “EternalRocks” is all over the place. Ransomware like WannaCry and EternalRocks has gained its momentum lately in cyber-attack vector panicking millions of machines. WannaCry which was built from two of seven NSA (National Security Agency) tools leaked in 2013 impacted many health organizations in UK and around the globe. Luckily, accidental provision of Kill-Switch by the creator of WannaCry, made it's spread a bit slower where many of you would have benefited the precious time to patch your machines.

But be aware, EternalRocks has potential of causing more damage than WannaCry as EternalRocks leverages seven NSA SMB Exploit tools over two used by WannaCry. And, keep in mind, it doesn't have Kill-Switch which will make the exploit even worse. EternalRocks can literally outbreak anytime causing havoc in the digital world.

The only preventive measure you would think of against these ransomwares is to patch, patch and patch your systems (firewalls, windows machines) regularly and as soon as it's release. Now that you have patched against WannaCry and EternalRocks, wooooo! Great Job!, still wondering whether your RMM tool did patch your systems correctly or not, or you want to be 100% sure that your systems are correctly patched? Then i have answer to your question.

I have compiled few scripts from internet into one to help you in finding out whether your system is correctly patched or not against WannaCry and EternalRocks. Below is vbscript you are welcomed to copy and use. It is tested in Windows 7/Win2008 and above and doesn't not work in WinXP/Win2003.
https://pastebin.com/GM7TgTTHTo run it, copy and paste into notepad or notepad++ and save it as "patchdetect.vbs" and double click it.

WinXP or WinServer2003?

Should you need to find out in WinXP or Windows Server 2003, you'll have to get your hand dirty.
Bring up your command line in XP or 2003 machine by executing cmd.exe as Administrator.
Type below:wmic qfe get hotfixid | find "KB4012598"

Output:
KB4012598  #If you see this output, you are patched.

As of today, KB4012598 is the patch released by Microsoft for Windows XP or Server 2003. If you come across other patch, you can simply replace KB#number in command above to check.

It’s never too late to patch rather than having pain to loose million dollar worth data.

Good luck patching!
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)