The ransomware cyber-attack “Wannacry” (named also “Wannadecrytor” or “WCRY” ) continues its propagation and has impacted several thousands of systems across the world. Your Unify and Atos teams have been fully mobilized for the last 72 hours and will continue until the end of this crisis.
If you have a Managed Service contract, you will be contacted by your service team regarding any specific actions we are taking to safeguard your environment; however we also strongly recommend that all customers apply great diligence in assessing and patching their Windows landscape.
Any Unify product (or 3rd party product supplied by Unify) including clients, which is running on a Microsoft Windows desktop operating system, is potentially impacted as a result of the Windows environment being affected and corrective action may be necessary.
Below is a list of the main Windows server based products which may be impacted if those Windows systems have not been patched. This list is not intended to be exhaustive and includes only products actively commercialized and supported (not phased-out):
- OpenScape Contact Center and Extensions (OSCC-E)
- OpenScape CAP server
- HiPath DTB, BLF Win Server
- OpenScape Deployment Service (DLS)
- OpenScape User Mgmt, Fault Mgmt, QoS Mgmt, Accounting Mgmt
- OpenScape Xpert System Manager and Turret
- OpenScape Voice Trace Manager
- OpenScape CDC
- OpenScape Xpressions
- OpenScape SESAP
- OpenScape Enterprise Express (OSEE) with embedded DLS, Xpressions, and
- OpenScape Contact Center (OSCC)
While applying the Microsoft patch “MS17-010” is the only reliable root-cause fix to also address morphed virus versions, we want to bring to your attention a potential additional measure referred to as a “kill switch” that may limit further virus spreading.
As the kill switches right now works only in Internet, there is additional effort needed to enable this in your Intranet that needs your network team involvement, please see technical details below.
However, the switches can only stop new infections of the current version of the ransomware (infected systems stay infected). The main purpose of implementing it in your Intranet is to protect a system that is initially infected (e.g. May 12) and then switched off/hibernated during the weekend. When the system connects again to your network, it could lead to potential further spread, as the virus pattern update and detection on this system might need some time.
Should you have any questions, please contact your service team.
Kill-switch technical details:
Different versions of Wannacry virus establish a direct connection to the following URLs, before infecting and spreading: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
This works in normal Internet environments (provided they have direct outside connection and standard DNS), but not in Intranets, as the virus does not use a proxy
Let this resolve to a local Intranet web server IP address (content does not matter, but the server needs to have http on port 80 and there needs to be a website on „/“)
Test if it works in your Intranet by disabling the proxy in the browser settings (IE, Chrome,…) and type: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com or www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com and if a website occurs, then it works.