On the 12th of May, 2017, the ransomware known as "WannaCry" hit worldwide, targetting Windows-based computers by encrypting data and demanding Bitcoin ransom payments. WannaCry propagates using EternalBlue, an exploit of Windows' Server Messege Block (SMB) protocol. The image below shows the infection chain of this type of malware:
See WannaCry/Wcry Ransomware for more information.
WannaCry Ransomware circumvents security solutions by dropping ransomware payloads in Windows folder such as the file cryptor (tasksche.exe) to avoid being detected. Use this article to configure EAC to stop WannaCry Ransomware attack in your Windows environment.
To protect endpoints from WannaCry/WCry or similar ransomware using TMEAC, do the following:
- Install or upgrade to TMEAC v2.0 SP1 Patch 1 Build 1550.
- Create and deploy Device Lockdown Policy to vulnerable endpoints. Do the following:
- Login to EAC Web UI and go to Management > Policies.
- Click +Add Policy and select *New.
- Provide the following information:
- Name: Device Lockdown Policy
- Users and Endpoints: <select target user or endpoint>
- Expand the Rules tab.
- Click +Assign Rule and select New Lockdown.
If a Lockdown rule exists, select Existing instead and search for the Lockdown rule to assign to the policy.
- Uncheck the Always allow all applications in the Windows directory (overrides Block and Lockdown rules) checkbox.
- Click Save to start applying the policy to endpoints.
Alternately, you can download the Device Lockdown Policy Template here and import it to your current Application Control policy list.
If further assistance is needed, contact Trend Micro Technical Support.