Wcry Ransomware Warning

Last Updated: 07/01/2017

Security Notice Level


OIT is monitoring reports of a large-scale active ransomware attack that leverages the MS17-010 vulnerability patched by Microsoft in March. The media have dubbed this new strain as Wanna Decryptor, Wannacry, or Wcry.  We have reports that, in addition to the standard network ports used by SMB (UDP 137 & 138, TCP 137 & 139, and TCP 445), Wcry may be leveraging RDP to access and encrypt files. While the initial infection may be caused by a malicious email, once a system is compromised the worm can spread across the network.  

Windows system administrators need to ensure that they have patched for MS17-010. Standard access control and backup practices will also help limit exposure to ransomware attacks by limiting the scope of files accessible to a compromised system and allow for recovery of data. OIT does not recommend relying solely on volume shadow copy service (VSS) as a failsafe for ransomware attacks as some strains of ransomware have been known to disable VSS.

Additional Information

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu.  IT Service Center Hours: https://oit.colorado.edu/support/it-service-center.

Important definitions for notice:

- Urgent: severity represents a broad threat to the entire campus community including remotely exploitable administrator or root type attacks.

- Severe: severity includes worms & web or email based exploits.

- Important: severity includes viruses and local exploits for commonly used services.