Making Sense of the WannaCry Attack
Over the past few days, news agencies around the world started reporting on WannaCry ransomware (WCR), aka WanaCrypt0r 2.0. It’s estimated that WCR has already affected more than 75,000 users in 150 countries, ranging from hospitals, businesses, governments, railways, and universities to home computer users. As of today, more than 200,000 systems are believed to be compromised. Although the attack was slowed by a 22-year-old UK security researcher who registered a domain name associated with the ransomware, experts warn that there are other variants of the malware that will continue to spread.
In an interview with NPR’s David Greene, Delta Risk executive chairman and former Homeland Security secretary, Michael Chertoff, explained how a lack of upgrades and patches to Windows systems led to this outbreak.
Are You at Risk?
We at Delta Risk continue to monitor this situation closely, and we’ve configured our monitoring systems to look for the latest indicators of compromise on behalf of our clients.
Here are a few things you can do in the meantime to protect your organization:
- Patch, Patch, and Patch Some More. If your environment will allow it, install the official patch (MS17-010) from Microsoft which closes the affected SMB Server vulnerability used in this attack. We recommend enacting your emergency change management process in this situation. If you are running on XP, you’re in luck, as Microsoft just issued an unusual out-of-band patch for the SMB vulnerability in Windows XP, Server 2003, and some early unsupported variants of Windows 8. If you’re running XP on a medical device, you’ll need to work with your vendors for a patch.
- Enable Endpoint Security. Make sure that all hosts have enabled endpoint security solutions. While there are many good solutions in the marketplace, two to check out are Carbon Black and Cisco Umbrella. Using Carbon Black, you can ban the hash of the WCR files so they are disabled from even running on the system. Leveraging Cisco Umbrella, you can intercept and block the malware calling out to download it’s second stage protocols and block its command and control network.
- Reemphasize Cyber Hygiene. Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering. After all, phishing was the main vector for this attack. Make sure you diligently practice the programmatic basics, including limiting admin accounts to least necessary and performing regular vulnerability scanning. Enlist in ongoing training courses to keep your staff up to speed on the latest skills they need to develop.
- Check Your Backups. The best defense against ransomware is a reliable backup scheme. Off-network backups are highly preferred given that ransomware can spread through your network and encrypt your primary, on-network backups.
- Validate Incident Response and Business Continuity Plans. Now is the perfect time to review, test, and update your incident response (IR) and business continuity (BC) plans. Don’t have an IR or BC plan in place? We can help you create and establish a plan that aligns with your business needs.
- Confirm Your Remote Desktop Protocol Settings. Remote Desktop Protocol (RDP) is an attack vector that is apparently also being used by WCR. Review the operational needs and risks of keeping RDP turned on. Highly consider turning off any Internet-facing RDP or at a minimum, require two-factor authentication.
Summary
On Sunday, Microsoft President and Chief Legal Officer Brad Smith advised national and international governments to “treat this attack as a wake-up call” to stop stockpiling software vulnerabilities and prioritize cyber security as a “shared responsibility between tech companies and customers.” Considering the severity and speed of the WCR attack, it’s critical that you update your information and immediately apply security updates to all your systems and environments.
If you are a Delta Risk client and our staff detects WCR, we will contact you via established emergency notification protocols. If you aren’t sure what those protocols are, or would like to review and refresh those protocols with us, we’d be more than happy to do that anytime using our hotline 1-855-333-6006. To learn more about ransomware and additional recommendations, particularly for healthcare companies, download our free e-guide, What You Need to Know About Ransomware & HIPAA Compliance.