The WannaCry Ransom Attack
Earlier this month, hackers exploited a vulnerability in older Microsoft Windows servers to execute a global cyberattack using ransomware — a malicious software that holds your computer’s files hostage for ransom—as well as EternalBlue, a hacking tool stolen from the U.S. National Security Agency (NSA). EternalBlue is a network tool that can automatically spread itself across the Internet, scanning for vulnerable systems as it goes. The attackers used this tool to primarily target older Windows systems (including XP, Win 8, Win Server 2003) which were no longer being supported with security patches, but many new Windows machines were also affected.
This massive attack known as WannaCry completely locked victims out of their PCs. Victims then received ransom messages from the attackers that promised to restore each owner’s access if the owner paid $300 in the digital currency Bitcoin. If an owner refused to pay, the attackers threatened to destroy that owner’s files. The attack was reported to have infected more than 230,000 computers in over 150 countries, including 40 National Health Service trusts in the UK. While the initial attack has been contained, experts worry that the next wave of ransomware attacks could be even worse. Is your organization ready?
In this post, I will lay out common sense steps that organizations should take to protect themselves, as well as strategic security principles to guide you going forward.
What You Need to Do Right Now about WannaCry
If the worst has happened, and you had your data stolen by WannaCry attackers, there are now free tools available to help you decrypt your locked data (such as the EaseUs tool found here). If you have not already taken action to secure your systems from the existing WannaCry cryptoworm, here are the specific steps you should take:
- Apply the Microsoft patch for the MS17-010 SMB vulnerability.
- Perform a detailed vulnerability scan of all systems on your network and apply missing patches immediately.
- Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for unusual behavior.
- Enable strong spam filters to prevent phishing e-mails from reaching end users, and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching your end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans. I recommend Norton and Sophos.
- Manage the use of privileged accounts. Implement the principle of least privilege—no users should be assigned administrative access unless absolutely needed, and those with a need for administrator accounts should only use them when necessary. Configure access controls (including file, directory, and network share permissions) with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
The Long-Term Implications of WannaCry and Ransomware
While the aforementioned steps will help protect your systems from ransomware and other malware attacks, we do not know what the next major attack will look like. Even the latest patches and security products will only block old and known variants of malware like Wanna—and new variants appear all the time. Making matters worse, some variants of ransomware can enter your systems via your RAM or firmware in order to avoid antivirus detection. This in mind, here are strategic best practices to keep your organization safe.
Back Up Your Data
Having reliable backups is essential for business continuity, especially if you work with PHI or other sensitive healthcare data. In some ransomware attacks, criminals will delete your files even if you pay their ransom. Reliable backups will also protect you from nonsecurity disruptions like unexpected damage to a data center.
As you back up your data, be sure to create frequent backups to several disconnected servers; this will protect you from malware that spreads across networks. It is also important to regularly test the integrity of your backup data to ensure it will meet your needs after you restore it. Finally, I recommend you set up an enterprise endpoint backup tool to protect individual user data on their laptops and workstations.
Identify Sensitive Systems and Potential Vulnerabilities
You might not be able to predict the next major attack, but you can prepare your systems by finding and protecting potential weak spots. For example, identify any of your users’ storage locations that are inherently vulnerable, such as file shares. It is also important to monitor the integrity of your module, as this has become a popular attack surface for cyber criminals.
As you examine how data flows throughout your network, be sure to evaluate the potential business impact of that data being stolen or encrypted by a cyberattack. If certain data or systems are especially critical to your business, adjust your recovery point objectives to back up these systems more frequently.
Have a Dedicated Security Team
As your organization grows, the stakes of your information security will continue to elevate. The best way to stay ahead of cyberattacks is to create a dedicated security team ready to manage any crisis you face. Ideally, this team would include an applications expert, a network security engineer, and an analyst who can keep up with the latest data security trends.
Once you have this team in place, it is also smart to align this information security team with your IT disaster recovery team and network team in order to develop a cross-department plan to respond to security incidents like the WannaCry attack. This cross-department plan should focus on making you resilient to attacks, not just preventing them altogether.
Get Smart on Ransomware with the Latest Security Information
Now that Verizon has released their yearly Data Breach Investigations Report, we have a host of new information about security breaches that could lead to your data being compromised. However, this lengthy report is only one part of the information security puzzle. In my upcoming webinar on July 12, I will discuss the long term implications of the WannaCry attack as well as best practices to help your organization protect itself from ransomware and other cyberattacks.
Learning from WannaCry – The Long-Term Implications
- Presenter : Ulf Mattsson, CTO Atlantic BT Security
- Duration : 60 min
- Date & Time : July 12 2017 12:00 pm EST
UPDATE: Watch my other recorded webinar on Learning from Verizon 2017 Data Breach Investigations Report