Tenable has several plugins that can detect if a machine is vulnerable to MS17-010:An ounce of preventionMost ransomware attacks are caused by exploits of known China large capacity automatic filling machine detailss Suppliers vulnerabilities that remain unpatched on systems.If you already have credentialed scans or Nessus Agents in place, detection is even easier; just use the Malware Scan Policy; machines infected with WCry will be reported under plugin 59275.Written by Disney Cheng, Tenable’s Solution Architect, Asia Pacific Region.The first version of WCry that spread across the globe performs a DNS lookup when it initializes; luckily, the Passive Vulnerability Scanner® (PVS™) can record DNS queries on your network.

This is especially true for systems running outdated and unsupported operating systems. Hunt for infected machines by lateral movement. If the malware can successfully reach that domain, it terminates - so don’t block access. Hunt for infected machines: Check for DNS queries and Scan for Malware.Note: There are reports of some organizations attempting to block this domain at their firewalls, assuming this is a CnC domain. You can enhance these results by using Assets or subnets as additional filters.3. Tenable has several ways to help you know where your business is exposed so you can make informed decisions about what to do first to detect WannaCry and protect your business. By patching all your assets regularly and creating regular backups of your data, you can help prevent ransomware attacks. Now is not the time for complacency; it is time for action.Take action nowIf you are a Tenable SecurityCenter® customer, here are three things you can do now before the next variant of WCry appears and before it encrypts the files on your machines. The malware appears to exploit an SMB flaw that Microsoft provided a patch for in March 2017. For example, in the image below, one host has 1650 events using port 445 with another host.Tenable has several ways to help you know where your business is exposed so you can make informed decisions regarding wannaCry The malware appears to exploit an SMB flaw that Microsoft provided a patch for in March 2017. You should disconnect that machine from the network and take appropriate action. You may have heard that the worm has been successfully stopped and you have nothing to worry about, but the vulnerability still exists on millions of systems and can be used again. With SecurityCenter, you can search for any hosts that are scanning for port 445, by applying this filter:Destination Port = 445Timeframe = Last 7 DaysUsing the Connection Summary tool you can identify hosts that are connecting to other hosts using port 445. Don’t do that! The domain has been sinkholed and is actually a kill switch for the malware. Once your systems are clean, patch and scan.If your environment is now clean, the best way to prevent a WCry infection is to apply patches and disable SMBv1.1.The WannaCry ransomware spread so quickly because once it infects one machine, it scans for any other machine with port 445 open, and then infects that target. You may need to investigate a situation when the same host is talking to several other hosts. You can apply the following filters in Event Analysis view to hunt for hosts that send queries to this domain:Type: dnsSyslog Text: iuqerfsodp9ifjaposdfjhgosurijfaewrwergweaTimeframe: Last 7 DaysAfter you apply the filter, change the view tools to Source IP Summary. By now everyone has heard about the ransomware called Wanna, WannaCry or WCry spreading across the globe and locking down the data of some of the world’s largest companies. If you have any host that sends queries to this domain, it has most likely been compromised