Simple Strategies That Could Prevent WannaCry Ransomware Attack
By now you’ve probably heard of “WannaCry,” one of the largest-ever worldwide cyberattacks, which hit industries ranging from banking to hospitals in more than 150 countries.
While the number of people and systems impacted is staggering, the attack followed tried and true hacking methods: a legitimate-looking email phishing message tricks a user into opening an infected attachment or downloading malware from an infected website. The malicious software exploits a vulnerability and provides the hacker with the ability to control your system, resulting in the installation of WannaCry. Finally, WannaCry encrypts key files, scans for other vulnerable systems it can infect, and leaves behind the ransom message: “Pay us $300 in bit coins to decrypt your files.”
Individual consumers and nonbusiness users should check the following:
- For Windows PCs and tablets, verify that Automatic Updates is turned on
- Verify that antivirus software has been updated with the latest definition files
How WannaCry works and how to assess your vulnerability
Vulnerable systems were initially attacked through an unpatched and exploitable vulnerability (MS17-010) in the Microsoft Server Messaging Block Services (SMS). The WannaCry malware that attacks systems and encrypts files is introduced into networks in one of the following ways:
- An email phishing message results in users opening an infected attachment or downloading malware from an infected website.
- A user browsing the internet visits an “infected” web page, which tries to download and execute the malware on their PC.
- A mobile device (laptop or tablet running an MS operating system) was used outside an organization’s firewall where the device is NOT running personal firewall software and is missing the patch for MS17-010. The infection spreads when the infected device is reconnected to the internal network.
- Internal network systems (usually servers) are exposed to the internet through the firewall with service port 445 and/or 139 open.
Once that initial device is compromised, the malware is programmed to probe for other systems on the same local area network (LAN) that are missing the MS17-010 patch.
At a very high level, the most important factor in mitigating exposure is to ensure that all Microsoft systems have the security patch for MS17-010 installed.
Your network may be vulnerable if you have not installed the patch and one of the following occurs:
- Personnel fall for a phishing attack or visit an infected website (i.e., a “drive-by-download”)
- Laptops or mobile devices used outside the organization become compromised and are then connected to your internal network (via VPN or LAN)
- Your internal systems are exposed to the internet through a firewall via port 445
The Windows 10 operating system is generally not vulnerable because Microsoft Automatic Updates are turned on by default. In this case the patch for MS17-010 was applied when available. But if the automatic feature was turned off or not functioning properly, Windows 10 may in fact be at risk.
There are many additional technical details that your chief technology officer or IT administrator should be aware of to mitigate exposure. To find that set of instructions, visit the SANS Internet Storm Center and the U.S. Computer Emergency Readiness Team.
Many of the strategies to help minimize and mitigate exposure to WannaCry are good overall strategies for risk minimizing your hacking risk.
Perform security updates and patching
After verifying that all your Windows operating systems are updated and patched for MS17-010, check to see that your patch is working with a tool that is independent of the patch management software. These tools (e.g., Nessus, Rapid7, Qualys) help ensure that patches are properly applied and functioning.
Your network configuration is also a critical consideration.
- Ensure that your firewall blocks ports 445 and 139, and that Microsoft SMB service is not exposed to the internet.
- Make sure “kill switch” domain is accessible from your network without a proxy.
- Make sure Microsoft Windows systems are running up-to-date antivirus software.
- Consider disabling SMB v1 on Microsoft operating systems.
- Consider deploying registry key inoculation (tearst0pper) referenced in the SANS Storm Center advisory message.
Raise phishing awareness
Malware typically needs a helper to do its job. That means an employee opens an infected attachment or visits an infected site. Educate users on phishing scenarios, and consider internal phishing “tests” to gauge employee readiness.
Add strong user controls
You can also help mitigate risk by limiting user permissions to only the programs and systems they need to fulfill their job. That means:
- Staff should not have local administrator rights to their PCs, workstations, and laptops.
- Implement a policy and practice that stipulates administrators do NOT log into workstations with domain administrator rights.
- Network and domain administrators should be required to have two sets of credentials (general use and elevated privileges).
- No email, browsing, or general computer use when using administrator level credentials.
Add software controls to minimize user access
You can also help prevent employees from clicking on a malware file with the help of software controls that limit the number of applications and files a user can run. Consider whether programs like AppLocker and EMET should be implemented to help restrict execution and spread of malware
Validate the integrity of your backup and restoration capabilities
- All electronic backup and restore files should be saved in well secured location
- Perform a thorough review of file permissions for network file shares, and pay special attention to locations storing electronic backup and restore files
- Ensure that you have off-line copies of backup and restore files available
- Practice a full system and data restore to verify your confidence in full system and data restore capabilities
How we can help
We can help your organization with a vulnerability scan to identify if service ports are accessible and determine whether the specific patch has been applied. A scan is part of an overall cybersecurity assessment that will give you a critical analysis of all your cybersecurity controls.