As most of you are aware, a fast moving, self-propagating attack blew across the internet over the weekend, and it’s not over yet. Using an alleged NSA exploit , this malware is able to quickly traverse a network and deliver a ransomware payload affecting hundreds of countries and hundreds of thousands of users.
As organizations worked overtime throughout the weekend to respond to the attack and tighten security controls, many are asking us what do I do now, and what happens next?
Unfortunately, this malware preys upon many things that organizations would like to fix but often can’t, or can’t fix quickly enough. By that I mean: software patches, network segmentation, access to systems via the internet, and human errors. To help guide you through, we’ve created a simple checklist. Doing everything on this list may not be possible in your organization, but doing anything on this list will help make you more secure.
- WCry uses a known SMB vulnerability in Microsoft code to propagate. The very first thing organizations should be focused on is patching all vulnerable systems. This is definitely easier said than done due to a long list of reasons, but the main focus should still be here. Most malware does not target obscure and little-known vulnerabilities or 0day attacks. Attackers are far more likely to use older and more reliable exploits. Patching should be focused on remediating critical systems and highest risk vulnerabilities first.
- In the case of worm-like malware such as WCry, success depends on infecting new systems. Segmenting networks dramatically reduces the effectiveness by removing new victims from visibility. Segmenting is good security. Deciding how your network should be divided is not a small undertaking and requires special expertise, but it is worth the return on investment when small outbreaks are unable to become large catastrophes.
- A good backup strategy can save you from more than ransomware. Data loss can put companies out of business. In this case however, if your organization has good backups, there is no need to even think about paying the attackers. It’s important to test those backups as well. It’s terrible to find out that your backups are no good when your systems are encrypted. Better to test early and often.
- Many systems have no business accessing the internet, and even the ones that do should only have that access on a limited basis. This is why proxies and firewalls are so important. The EternalBlue exploit used in this attack works on port 445, which is reserved for SMB traffic, typically file sharing. There is no reason that these ports should ever be open to the internet. Kaspersky lab noted an uptick in SMB traffic on port 445 in the hours leading up to the discover of the attack.
- Most ransomware arrives by phishing, and humans are still the best at detecting these attacks. Using an awareness solution like PhishMe Simulator in combination with a phishing incident response solution like PhishMe Triage can mean the difference between responding to an event or responding to a 5-alarm fire.
- Cybersecurity is another risk to the business and being able to operate the business under adverse conditions is a responsibility organizations must plan for and undertake. Cybersecurity professionals can help the business understand the risks something like ransomware poses. An effective tabletop exercise allows for a culmination of business units to witness firsthand their ability, or lack-thereof, to withstand a direct attack or random outbreak.
While this certainly isn’t the last time we’ll see an outbreak of ransomware, this particular strain has made a remarkable impact. As mentioned earlier, you may not be able to enact all of the advice in this post, but anything you do will improve your cybersecurity, and perhaps enable to you get ahead more quickly next time. Unfortunately, it’s very likely that there will be a next time.
Stay on top of emerging phishing and malware threats and attacks by subscribing to PhishMe Threat Alerts today—all delivered straight to your inbox completely free.