WannaCry: What to do if you can’t update Microsoft Windows

By A.N. Ananth

A global pandemic of ransomware hit Windows based systems in 150 countries in a matter of hours. The root cause was traced to a vulnerability corrected by Microsoft for supported platforms (Win 7, 8.1 and higher) in March 2017, about 55 days before the malware was widespread. Detailed explanations and mitigation steps are described here. The first step to mitigation is to apply the update from Microsoft. A version for XP and 2003 was also released by Microsoft on Friday May 12, 2017.

But what if you did not apply the update because you just cannot do so? This is often the case in Industrial Control Systems (ICS), which comprise Operational Technology (OT) systems built on the same platforms (Windows XP, 7) that are susceptible to this vulnerability, but the patch/backup strategy recommended for traditional desktops just simply does not apply.

There are reports of several manufacturers that have apparently stopped work at plants because of WannaCry infestations of control systems, including automobile manufacturers like Renault, Dacia, and Nissan. There are many valid reasons:

  • The earlier versions of Microsoft software used in ICS aren’t just off-the-shelf versions of Windows, but they’re Windows as mediated by industrial control system vendors like Honeywell, Siemens and the like. They don’t use off-the-shelf Windows. Applying updates requires testing to ensure the ICS system is not going to be disrupted.
  • ICS system owners abhor downtime. It is very expensive to shut down a manufacturing line or an airport runway, and not possible to shut down the International Space Station.
  • ICS system owners often cite the “air gap”. But that’s a myth that has been exploded often.

As a start, ICS-CERT has published an advisory which provides this guidance:

  • Disable SMBv1 on every system connected to the network.
    • Information on how to disable SMBv1 is available here.
    • While many modern devices will operate correctly without SMBv1, some older devices may experience communication or file/device access disruptions.
  • Block port 445 (Samba).
    • This may cause disruptions on systems that require port 445.
  • Review network traffic to confirm that there is no unexpected SMBv1 network traffic. The following links provide information and tools for detecting SMBv1 network traffic and Microsoft’s MS17-010 patch:
  • Vulnerable embedded systems that cannot be patched should be isolated or protected from potential network exploitation.

If you need help and aren’t currently a customer, the same SIEM technology that detected WannaCry for our SIEMphonic Enterprise Edition customers can protect your systems as well. Our solution is designed to protect endpoints from unknown processes, like ransomware, and has been proven effective in tens of millions of installations. Find out more here.