CrowdStrike Strikes Microsoft – Aftermath

CrowdStrike a major cybersecurity platform, is facing an outage. Many users across India, Japan, Canada, Australia and many other countries have been affected by the issue.

The Blue Screen of Death (BSOD), officially known as stop error by Microsoft, is a critical system error on Windows operating systems. It indicates a severe issue that requires urgent fix. When a system experiences BSOD, all operations are halted to prevent further damage, often resulting in the loss of unsaved work. Despite its seemingly small nature, the blue screen of death is a significant problem, ranked closely to cyber issues like malware or ransomware.

Whenever a Windows system encounters a BSOD, the main screen turns off and a blue screen with white text appears, detailing the error. The BSOD issue is typically caused at the Windows kernel level and can be due to hardware or software issues.

The Windows systems are experiencing BSOD because of a flawed update from CrowdStrike to its cybersecurity program Falcon, which is part of the Falcon suite that handles computer cybersecurity defense. As for the fix currently, there is no proper fix for the issue. The fix will likely come with another update by CrowdStrike and Microsoft, but that may take a while. Although there is a manual fix floating around the web, taken from a note that CrowdStrike issued to its users. This fix notes:

• Boot Windows into Safe Mode or WRE.
• Go to C:\Windows\System32\drivers\CrowdStrike
• Locate and delete file matching “C-00000291*.sys”
• Boot normally.

CrowdStrike Engineering has identified a content deployment update related to this issue that was pushed at 4:09 AM UTC and reverted those changes. As a result, hosts that booted up after 5:27 AM UTC should not experience any issues.

This issue is not impacting Mac- or Linux-based hosts. Initially the above steps have been recommended, but many customers reported problems with booting into Safe Mode. The following steps should work universally, also if the system does not have a local Admin account and without an internet connection.

• Let the system boot up and crash three times, this will give you a menu.
• Click Troubleshoot
• Click Advanced Options
• Click Command Prompt

If your system is protected with BitLocker, you will need to enter your BitLocker Recovery Key

If BitLocker is managed via Intune, this can be found at https://myaccount.microsoft.com, under “devices”. Make sure to match the Hostname of the device and the Key ID. Otherwise, ask your local IT administrator for your BitLocker Recovery Key

In the command prompt window, type the following commands, followed by an Enter key.

Warning: The Command prompt starts at the X:\ drive. Please do not forget to switch to c:\ by typing these commands exactly

Steps for public cloud or similar environment including Virtual Machines

Option 1:

• Detach the operating system disk volume from the impacted virtual server
• Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
• Attach/mount the volume to to a new virtual server
• Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
• Locate the file matching “C-00000291*.sys”, and delete it.
• Detach the volume from the new virtual server
• Reattach the fixed volume to the impacted virtual server

Option 2:

• Roll back to a snapshot before 0409 UTC.
• Steps for Azure via serial to get into Safe Mode
• Login to Azure console –> Go to Virtual Machines  –> Select the VM
• Upper left on console –> Click : “Connect” –> Click –> Connect –> Click “More ways to Connect”  –> Click : “Serial Console”
• Once SAC has loaded, type in ‘cmd’ and press enter.
  • type in ‘cmd’ command
  • type in : ch -si 1
• Press any key (space bar).  Enter Administrator credentials
• Type the following:
  • bcdedit /set {current} safeboot minimal
  • bcdedit /set {current} safeboot network
• Restart VM

CrowdStrike has seen phishing attacks targeting customers and contacts, with attackers posing as CrowdStrike Support and offering unsolicited help. These messages are malicious; CrowdStrike Support will never proactively reach out without prior contact.