The technology world was rocked late last week with the arrival of the “WannaCry” malware payload. “WannaCry” is ransomware: it encrypts files with strong encryption, and then notifies the victim that they can “recover” their files for a payment using Bitcoin (which is an extremely difficult-to-track blockchain-based payment system). While the New York Times has reported that victims in nearly 100 countries have been affected so far by this fast-moving malware, the most significant impact so far has been identified within the U.K.’s National Health Services (NHS), which was forced to reallocate patients to unaffected facilities due to the “WannaCry” outbreak.
What makes “WannaCry” particularly malicious is the fact that it bundles ransomware functionality with computer worm functionality; it tries to propagate itself to other systems. The attack vector that this malware uses is a relatively recent vulnerability discovered within nearly all recent versions of Microsoft Windows (see Microsoft Security Bulletin MS17-10). Although Microsoft released a patch to fix this vulnerability for current Windows versions back in mid-March, it’s clear that many organizations have not yet applied it nearly two months later, facilitating its rapid spread. Microsoft themselves, recognizing the criticality of this exploit, on Friday took the extraordinary step of issuing a supplemental patch for versions of Windows that are no longer supported by the company, including Windows XP and Windows 8.
While the ramifications of this massive malware outbreak are not yet fully known, one thing that is known is how to minimize the risk of becoming its next victim. Mitigating the effects of ransomware (not to mention computer worms that try to propagate that ransomware) is not as difficult as you might think. If you implement the following steps, your risk of falling victim to this extortion is massively reduced:
- Patch, patch, and patch some more. It’s very telling that, although Microsoft issued a patch for the attack vector exploited by “WannaCry” to propagate itself almost two months ago, many organizations have clearly not yet applied it. Vendors issue “critical”-level patches for a reason; it’s the responsibility of information security and I.T. personnel to evaluate the impact of these patches and deploy them as quickly as possible. By far, the most effective way to do this is through an automated patch solution. While SOCVue from EiQ Networks includes integrated patch management, even if you’re not using our product, at a minimum you need to have a manual process in place to deploy critical patches as quickly as possible – and preferably within 1-2 weeks of availability.
- Maintain continuous vulnerability detection. Deploying patches is one thing, but knowing all of the potential points of ingress for ransomware and other malware into your environment is just as important. Vulnerability detection – such as the integrated, continuous vulnerability management capabilities found in SOCVue – is critical to not only determining which systems are missing patches and have known code-related vulnerabilities, but is also vital to ensure that systems are not misconfigured in a way that allows them to be easily exploited.
- Update your endpoint security software. It will only be a matter of time (likely within the next few days) until most major anti-virus and malware detection product vendors have updated their signatures to detect “WannaCry” and its variants. It’s critical that organizations ensure that they are fully-deploying the latest and most up-to-date detection mechanisms available for their malware mitigation product, regardless of whether it’s a traditional anti-virus platform or a more advanced endpoint detection and remediation (EDR)-type solution.
- Make sure you have frequent, isolated backups. The simplest solution to mitigating a successful ransomware attack is actually quite simple: after the ransomware is detected and removed, restore recent backups. However, it’s telling that, in many cases, backups aren’t as prevalent as they should be. Not only should backups include critical files, but they should also be isolated, meaning that they should not be online and accessible at any time by a user without additional authentication required. Why is that? Because if the ransomware can encrypt the “live” files on your “C:” drive (for example), and your backup is simply a file copy to your “E:” drive which is accessible by you at any time, then that means the ransomware has access to those files, too. Proper backups should be offsite (there are countless quality cloud backup solutions today that can facilitate this for you), and should require you to provide authentication to access those files (and preferably, multifactor authentication). Most importantly, those backups need to be frequent. A successful ransomware attack will effectively require you to rebuild (hopefully by simply restoring) your data from scratch.
- Make sure you’re not blocking the sinkhole URL. The “WannaCry” ransomware package has an unusual attribute: it contains a URL to a domain and page that, if it is detected by the malware itself, prevents it from spreading. This was discovered by a researcher whose pseudonym is “MalwareTech”, and the URL is:
“MalwareTech” purchased this domain and turned it into a sinkhole, massively reducing the further spread of this ransomware outbreak. Nobody exactly knows why this back door was built into “WannaCry”, but I.T. and information security personnel should ensure that this URL is not blocked (i.e., whitelisted) by their web proxies and other application-layer technologies.
- Access control is elephant in the room. Of course, what allows ransomware like “WannaCry” to be so successful in the first place can often be traced back to over-permissive access. T. organizations allow users to logon to their workstations with highly-privileged local administrator rights, and those users often have write access to shared network drives where critical data resides. Ransomware, like any malware, runs in the context of the user who is logged onto the system. If your users have full access to lots of network shares, critical local directories (think “C:\Program Files”) and other file systems, all of those files are at a high level of risk in the event of a ransomware attack. It is incumbent on I.T. and security teams to ensure that users only have access – and specifically, write access – to those files and directories that are needed to do their jobs.