How to remove Ransom:Win32/WannaCrypt.A!rsm Virus

I have SCCM server. SCCM server detects the virus Ransom:Win32/WannaCrypt.A!rsm for windows 7 pcs. But it can not completely delete that virus. After scanning those PCs with SCCM server, it detects that virus. But after someday it come back to those pcs. Around 1421 pcs of windows 7 are affected with that virus. Our whole system are in vulnerable condition. Is there any way to remove Ransom:Win32/WannaCrypt.A!rsm Virus Completely from Windows 7 PCs?
Md. Shamiul IslamJr. Systems EngineerAsked:
Who is Participating?
 
John TsioumprisSoftware & Systems EngineerCommented:
To me it seems that somewhere you have an infected machine that keeps infecting the other so maybe you should try to "divide and conquer" split you infected machines to small groups  and isolate them from your network... try to see if after the cleaning process remain clean...if you encounter a group that is clean you return it to the normal network...if not you keep splitting the group until you reach the source of infection.
Maybe its a good idea to train the employees of performing the cleaning process using extra 3rd party tools.
Also check for update MS17-010  that block a vulnerability that WannaCry exploits to infect other machines....
1
 
Alex Green3rd Line Server SupportCommented:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wannacrypt.A!rsm


Full guide there, I'm assuming you must be running some sort of malware protection, that would normally remove it as well.

Thanks
alex
0
 
Alex Green3rd Line Server SupportCommented:
0
 
btanExec ConsultantCommented:
Why is sccm scanning for such ransomware, it would have been the anti virus or Anti-malware - for Windows its defender AV is doing the job to prevent ita infection.

But relying on AV does not suffice if the machine is not patched (minimally MS17-010 but go for latest release as it is accumulative to close up known vulnerabilities), not hardened (need Applocker to allow authorised appl to run, disable SMBV1 to prevent infection spread and exploitation onto system having same network shares) and any user is login as default administrator (which should be given user role only).

May want to see the faq on preventive measures
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.