July 1, 2020
Few will have missed the largescale ransomware attack on 12th May 2017, particularly affecting the NHS, but disrupting operations at more than 100,000 organisations in 150 countries. If we didn’t yet fully comprehend the existing threat from ransomware, we now do – unfortunately.
The WannaCryptor ransomware, or ‘WannaCry’ is a highly virulent worm – and once a user is infected, it will spread rapidly across the internal network.
How WannaCry works
The malware exploits a Microsoft Windows vulnerability in the Microsoft Server Message Block (SMB) v1.0 protocol, compromising hosts and encrypting files – before then demanding a ransom payment in the form of Bitcoin. Once infected, the ransomware spreads laterally across the network by exploiting SMB file sharing protocol on TCP ports 139 and 445. The payload also has the capability to scan external IP ranges and further spread the infection.
Microsoft released a critical security patch, MS17-010, for this vulnerability in March 2017.
Given the severity and virulent nature of the malware, Microsoft has since released emergency patches for older (unsupported) operating systems like Windows XP.
https://www.microsoft.com/en-us/download/details.aspx?id=55247
Actions to protect against WannaCry
- Apply Microsoft Windows security update MS17-010
- Block connection to ports 139 and 445 on your firewall
- Block legacy protocols like SMBv1 on your local network, or firewall off SMB locally to vulnerable systems that can’t be patched.
Variants of WannaCry are already spreading. Initial variants were configured with a killswitch domain. We are already seeing newer versions without this killswitch domain.
Multi-layer security measures
Multiple layers of security measures are required to keep your organisation secure from the unfortunately ever-changing and un-relenting cyber threats. Your cohesive multi-layered approach is required to secure entry and exit points to the company network, including antivirus, content filtering, sandboxing
Reduce vulnerabilities
- Make a habit to update software patches regularly and often. The single best thing you can do to protect your networks against malware attacks, worms and ransomware is to patch known vulnerabilities.
- Patch management solutions can assist with this task over large networks. Endpoint device management solutions will aid the identification of vulnerable machines, or mobile devices.
- Regular vulnerability assessments (penetration tests) will quickly expose known vulnerabilities.
Educate staff
- Your security is only as reliable as its weakest link. Security-aware employees can be one of the most effective deterrents to malicious threats. However, many users do not understand the best practices regarding computer security.
Data back-up and disaster recovery
-
- It is always important to have resilient data back-up processes in place. Backups are best protected when they are maintained offline from the production environments, since ransomware viruses can corrupt backup copies, as well. Snapshots and replication can be vulnerable to time-delayed ransomware attacks.
Life after WannaCry
As we have seen, there are sizable challenges facing organisations going forward. The threat to significant business disruption are unfortunately very real.
Wider assessment of cyber security systems, processes and policies within the organisation will frame your existing state of readiness, as well as providing a roadmap to improve security posture – and avoid potentially damaging attack from new and evolving threats.
A long-term vision is required to protect an organisation’s continued prosperity. New threats will emerge and an effective security framework is required to keep pace with different criminal hacking activities.