Skip to content

The WannaCry Ransomware Attack

On May 12, hackers launched a global ransomware attack that takes advantage of a known Microsoft Windows vulnerability called, “EternalBlue,” for which Microsoft issued patch MS17-10 in March of this year.  The WannaCry ransomware worm was originally triggered by a Phishing exercise, fooling email recipients into clicking a link that launched the attack.  The WannaCry worm encrypts the contents of an infected computer and displays a message to computer users demanding the affected organization pay a ransom to regain access to the systems and data.  The worm spreads throughout a network of linked PCs and Servers to distribute the infection more broadly.

The initial release of the attack was stopped (after 123,000 computers were affected in 99 countries) by security researchers, who registered a domain that the malware checks before the infection starts.  Unfortunately, hackers can still modify the attack to remove the kill switch and resume the attack.  A second piece of the attack is the exploit searches for unpatched or vulnerable system components that into which it can embed itself.

What’s more troubling is that WannaCry relies on an exploit that was stolen from NSA to propagate the attack.  This vulnerability was leaked as part of the Shadow Brokers hack of the NSA earlier this year.

Even Trusted Organizations are Vulnerable to Attack

  • FedEx systems were hit, affecting package sorting operations that resulted in delivery delays.
  • Britain’s National Institute of Health was attacked, resulting in many hospitals turning away patients all over England.

Tips to Protect Your Organization from Cyberattacks

  • Scan your Environment for the MS17-010 Vulnerability.  Although Microsoft released the patch MS17-010 on March 14th, it only addressed the vulnerability in currently supported Windows Operating Systems. It is estimated that as many as 7% of all PC computers are still running an unsupported and most likely vulnerable Windows OS like Windows XP.  Microsoft has released an emergency patch to address the WannaCry vulnerability in these unsupported operating systems.
    • Use a trusted vulnerability scanner to assess whether your systems and devices are currently at risk.
    • The file extension used is .wncry, which drops a ransomware notification named: @Please_Read_Me@.txt in common file and folder locations.  Scan for the .wncry file extension as well, and develop a plan to remove it.
  • Maintain Systems and Services. Keep your systems and services current with the latest OS and firmware patches and upgrades, particularly those rated CRITICAL and HIGH.  Develop a standard for system maintenance, which involves testing of patches and upgrades in a test environment.  If the patch or upgrade doesn’t “break” your functionality in the test environment, schedule the upgrade in production following your organization’s change management guidelines.
    • Most, if not all of the leading firewall, anti-malware and anti-virus manufacturers have already released signatures to defend against the vulnerability, and more vendors will be releasing updates to address this attack.  DO NOT IGNORE these releases.  If your systems are not set to automatically update, execute the manual update today!!  Don’t wait!!
  • Invest in a network firewall – If you are a small business, and your PCs are connected directly to the Internet, purchase a firewall, and get a trained security technician to install and configure it.
    • Maintaining an appropriately updated and patched firewall is essential for good network security.
  • Segment Your Network to divide users and machines onto separate virtual networks (VLANs).  Not only should you be concerned with limiting the spread of malware, but your maintenance protocols may include patching and upgrade prioritization of your borders, server and user zones prior to less critical VLANs.
    • Inter-VLAN traffic should pass through an Intrusion Detection System (IDS), which will send alerts to whomever is monitoring your cybersecurity defenses.  If adding an Intrusion Prevention System (IPS) is financially feasible, that will automatically stop the spread of infection.
  • Monitor your Security Controls – Organizations with sound security strategy have an engaged management team that is aware of their security posture and risks.  Those organizations also know they need to dedicate sufficient resources to continuously monitor their security controls to detect potential breaches and other security incidents.
  • SCS offers a managed security service, in which we deploy a security monitoring system in your network, which feeds alerts back to our 24x7x365 Security Operations Center, allowing us to respond quickly to avoid detrimental impact.  Our continuously updated Incidents of Compromise database keeps us in the know, so we can detect threats like WannaCry in real time as it enters your network.
  • We provide reports and dashboards to ensure organizational understanding of current security status and potential threats.
  • SCS provides supplemental security advisory services to help you develop a multi-layered cybersecurity strategy, designed to protect your critical assets.
  • Protect Data with a well-tested Backup Strategy – Restoring from backup can be cumbersome. However, if the ransomware has affected some data prior to discovery, backup restoration may be your only option.
    • Whether you are planning to restore from backup files, or you are cutting over to a live DR environment, TEST, TEST, TEST your backup restoration function.
      • The general rule of thumb should be to TEST all systems and services at least annually.
      • For more critical systems, you may want to TEST those backup functions more frequently.  This should be a risk-based decision made with consultation of the organization’s executive management team.  Testing can be costly, but the peace of mind afforded by the assurance that your organization can withstand and bounce back from a significant cyber-attack may be work the cost.
    • Develop Incident Response (IR) and Disaster Recovery (DR) Plans – Is your team prepared to deal with cyberattacks?  Detailed IR and DR Plans prescribe specific process concerning response to all forms of attack.
      • Once you develop these Plans, you should test them with your Response teams.  IR and DR Plans are living documents, so don’t be afraid to make adjustments to improve your processes.
    • Principle of Least Privilege – Minimize access to critical data and systems to only those individuals that have to access them to perform their responsibilities.
    • Whitelist of approved software – prevent everything else from running.
    • Lock down PC, Server, Security and Network Configurations – Follow the hardening configuration standards for various Operating Systems as much as you can to continue to enable system functionality, but prevent malware from taking hold.  Some of our favorites include:
    • Train Your Users – All organizations should train their users on cybersecurity threats and risks, and what they should do to mitigate those risks.  The initial attack vector for WannaCry was a Phishing Attack, designed to get email recipients to click a .zip file that triggers the infection.
      • User behavior is probably the largest threat to your organization, because they are susceptible to fraud, and because they are prone to make mistakes.

If you need help tightening your defenses against all manner of cyber threats, contact us at Secure Compliance Solutions.  We can help.  Click here to contact us directly.

 

Secure Compliance Solutions LLC provides a wide range of CISO Advisory consulting services to build or strengthen your Information Security and Data Privacy programs, based on industry-tested frameworks and standards.    SCS applies its experience and subject matter expertise to help our customers wade through the complex specifications associated with information security requirements, so they can focus on their core businesses.